<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:12pt"><div><span>Dug a little deeper and tried disabling rekeying but the iPhone still ends up in the REKEYING state for some reason.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>When it's stuck in the REKEYING state it has no Internet connectivity, can't be pinged from the server - but it is receiving DPD_ACK requests (I can see them being passed to and from the server<->client in
/var/log/messages).</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>Any idea what's going on here?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>Thanks,</span></div><div style="color: rgb(0, 0, 0);
font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>H.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On
Tuesday, 27 May 2014, 11:37, Harry Stark <stark.harry@yahoo.co.uk> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv0010662382"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"><div class="yiv0010662382" style="">Hi,</div><div class="yiv0010662382" style=""><br class="yiv0010662382" style=""></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;" class="yiv0010662382">I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style:
normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;" class="yiv0010662382">I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;" class="yiv0010662382">Ran ipsec statusall and received the following for the device:</div><div style="color: rgb(0,
0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color:transparent;" class="yiv0010662382">radius-user[7294]: ESTABLISHED 8 minutes ago,
server.ip.addr[removed]…client.ip.addr[removed]</div><div style="background-color:transparent;" class="yiv0010662382">radius-user[7294]: Remote XAuth identity: id</div><div style="background-color:transparent;" class="yiv0010662382">radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hours</div><div style="background-color:transparent;" class="yiv0010662382">radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div style="background-color:transparent;" class="yiv0010662382">radius-user{4638}: REKEYING, TUNNEL, expires in 51 minutes</div><div style="background-color:transparent;" class="yiv0010662382">radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32 </div><div style="background-color:transparent;" class="yiv0010662382">radius-user{4638}: INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o</div><div style="background-color:transparent;"
class="yiv0010662382">radius-user{4638}: AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104
pkts, 1s ago), 0 bytes_o, rekeying in 36 minutes</div><div style="background-color:transparent;" class="yiv0010662382">radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32 </div><div style="background-color:transparent;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color:transparent;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color:transparent;" class="yiv0010662382">So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.</div><div style="background-color:transparent;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382">I did a ipsec down on the user
which forced the device to reconnect and all was then fine.</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382">Not sure where to look to solve this? Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection? I know this may be slower but their devices are pretty dumb!</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382"><span style="background-color:transparent;" class="yiv0010662382">Thanks,</span><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382">I'm running Centos 6 & Linux strongSwan
U5.1.3/K2.6.32-358.11.1.el6.x86_64</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382">H.</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;" class="yiv0010662382"><br class="yiv0010662382" style=""></div></div></div></div><br>_______________________________________________<br>Dev mailing list<br><a ymailto="mailto:Dev@lists.strongswan.org"
href="mailto:Dev@lists.strongswan.org">Dev@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/dev" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a><br><br></div> </div> </div> </div> </div></body></html>