Receive buffer too small, packet discarded. Can I edit strongswan.conf?
-
Hi Everyone.
I've been getting this error in my pfsense logs: "charon: 03[NET] receive buffer too small, packet discarded"
It repeats several times a minute. My ipsec connection also drops out after a little while, i'd say about an hour or so? The only useful google result that has turned up for this error is: https://wiki.strongswan.org/issues/340
I'm connecting to an ipfire machine.
Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.
My pfsense logs are pretty much filled with:
Nov 13 11:40:49 charon: 08[NET] receive buffer too small, packet discarded Nov 13 11:40:45 charon: 08[NET] receive buffer too small, packet discarded Nov 13 11:39:29 charon: 08[NET] receive buffer too small, packet discarded Nov 13 11:38:47 charon: 08[NET] receive buffer too small, packet discarded Nov 13 11:38:24 charon: 08[NET] receive buffer too small, packet discarded
On the ipfire (server) side i'm seeing a lot of this in the logs:
11:40:46 charon: 15[IKE] initiating IKE_SA home[1] to homeip 11:40:46 charon: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] 11:40:46 charon: 15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:40:50 charon: 07[IKE] retransmit 1 of request with message ID 0 11:40:50 charon: 07[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:40:57 charon: 10[IKE] retransmit 2 of request with message ID 0 11:40:57 charon: 10[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:41:10 charon: 14[IKE] retransmit 3 of request with message ID 0 11:41:10 charon: 14[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:41:33 charon: 15[IKE] retransmit 4 of request with message ID 0 11:41:33 charon: 15[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:42:15 charon: 06[IKE] retransmit 5 of request with message ID 0 11:42:15 charon: 06[NET] sending packet: from serverip[500] to homeip[500] (10672 bytes) 11:43:31 charon: 10[IKE] giving up after 5 retransmits 11:43:31 charon: 10[IKE] peer not responding, trying again (3/0)
-
Is there a way for me to modify the strongswan.conf on pfsense and keep the changes persistent, assuming that is the problem? I made the change on the ipfire machine with no affect so far.
Edit the code that builds strongswan.conf in /etc/inc/vpn.inc - you probably want to be looking around line 417. You will then need to force a strongswan.conf rebuild - stopping and restarting the ipsec service is probably sufficient (I haven't checked), or you could reboot.
Be aware that changes made directly to pfSense files will not persist across a firmware update.
If possible, I would try to edit the configuration to reduce the maximum packet size needed.
-
If possible, I would try to edit the configuration to reduce the maximum packet size needed.
Indeed, ipfire is almost certainly doing something wrong, or has a poor config, where it's sending 10000+ bytes there.
What David noted will work around the issue, and we ought to have that available as a tunable value. But you should really figure out why that's happening and fix the config on the ipfire side.