<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:12pt"><div>Hi All,</div><div><br></div><div>We are using authentication via certificates and xauth for our iOS users and quite often there is a very long delay just after the exchange of certificates, where it sticks for 4 seconds (The default timeout) before having to retransmit the data.</div><div><br></div><div>We did try using an aggressive mode setup for this type of connection which improved the setup time but one one very large NAT'd network wouldn't work at all, so we switched back to this.</div><div><br></div><div>Any ideas on why it keeps hanging and having to resend the packet?</div><div><br></div><div>Thanks!</div><div><br></div><div>Apr 17 12:38:22 server-ip charon: 10[NET] received packet: from remote.ip[32167] to server.ip[500] (668 bytes)</div><div>Apr 17 12:38:22 server-ip charon:
10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received NAT-T (RFC 3947) vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor
ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received XAuth vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received Cisco Unity vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received FRAGMENTATION vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] received DPD vendor ID</div><div>Apr 17 12:38:22 server-ip charon: 10[IKE] remote.ip is initiating a Main Mode IKE_SA</div><div>Apr 17 12:38:22 server-ip charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]</div><div>Apr 17 12:38:22 server-ip charon: 10[NET] sending packet: from server.ip[500] to remote.ip[32167] (136 bytes)</div><div>Apr 17 12:38:22 server-ip charon: 15[NET] received packet: from remote.ip[32167] to server.ip[500] (228 bytes)</div><div>Apr 17 12:38:22 server-ip charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D
]</div><div>Apr 17 12:38:22 server-ip charon: 15[IKE] remote host is behind NAT</div><div>Apr 17 12:38:22 server-ip charon: 15[IKE] sending cert request for "-----hidden----"</div><div>Apr 17 12:38:22 server-ip charon: 15[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]</div><div>Apr 17 12:38:22 server-ip charon: 15[NET] sending packet: from server.ip[500] to remote.ip[32167] (418 bytes)</div><div>Apr 17 12:38:22 server-ip charon: 12[NET] received packet: from remote.ip[16523] to server.ip[4500] (1436 bytes)</div><div>Apr 17 12:38:22 server-ip charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]</div><div>Apr 17 12:38:22 server-ip charon: 12[IKE] ignoring certificate request without data</div><div>Apr 17 12:38:22 server-ip charon: 12[IKE] received end entity cert "---hidden---"</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] looking for XAuthInitRSA peer configs matching ----hidden---]</div><div>Apr 17
12:38:22 server-ip charon: 12[CFG] selected peer config "---hidden---"</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] using certificate "---hidden"</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] using trusted ca certificate "---hidden---"</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] checking certificate status of "---hidden---"</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] certificate status is not available</div><div>Apr 17 12:38:22 server-ip charon: 12[CFG] reached self-signed root ca with a path length of 0</div><div>Apr 17 12:38:22 server-ip charon: 12[IKE] authentication of '---hidden---' with RSA successful</div><div>Apr 17 12:38:22 server-ip charon: 12[IKE] authentication of '---hidden---' (myself) successful</div><div>Apr 17 12:38:22 server-ip charon: 12[IKE] sending end entity cert "---hidden---"</div><div>Apr 17 12:38:22 server-ip charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG
]</div><div>Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (1484 bytes)</div><div>Apr 17 12:38:22 server-ip charon: 12[ENC] generating TRANSACTION request 2130590094 [ HASH CP ]</div><div>Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (76 bytes)</div><div><br></div><div>[THIS IS WHERE THE DELAY HAPPENS]</div><div><br></div><div><br></div><div>Apr 17 12:38:26 server-ip charon: 09[IKE] sending retransmit 1 of request message ID 2130590094, seq 1</div><div>Apr 17 12:38:26 server-ip charon: 09[NET] sending packet: from server.ip[4500] to remote.ip[16523] (76 bytes)</div><div>Apr 17 12:38:26 server-ip charon: 13[NET] received packet: from remote.ip[16523] to server.ip[4500] (92 bytes)</div><div>Apr 17 12:38:26 server-ip charon: 13[ENC] parsed TRANSACTION response 2130590094 [ HASH CP ]</div><div>Apr 17 12:38:26 server-ip charon: 13[IKE] XAuth
authentication of '--hidden-' successful</div><div><br></div><div>The rest of the setup goes fine from this point onwards.</div><div><br></div></div></body></html>