<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi, <div><br></div><div>I just wanted to chime in that I am also seeing this issue.</div><div><span style="font-size: 12pt;"><br></span></div><div><span style="font-size: 12pt;">Stack details</span></div><div><span style="font-size: 12pt;">strongSwan 5.0.4, Linux 3.8.0-29-generic, x86_64</span></div><div><span style="font-size: 12pt;">x509 certs + xauth</span></div><div><span style="font-size: 12pt;">Ubuntu 12.04</span></div><div><span style="font-size: 12pt;"><br></span></div><div><span style="font-size: 12pt;">Iphone 4s</span></div><div>iOS 7</div><div><br></div><div><br><br><br><hr style="width:100%;height:2px"><br><br><br>Joshua J. Gross<br><br><br><div><hr id="stopSpelling">Date: Tue, 3 Jun 2014 16:14:40 +0100<br>From: stark.harry@yahoo.co.uk<br>To: stark.harry@yahoo.co.uk; dev@lists.strongswan.org; Users@lists.strongswan.org<br>Subject: Re: [strongSwan-dev] Road warrior stuck in rekeying state<br><br><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:12pt;"><div><span>Dug a little deeper and tried disabling rekeying but the iPhone still ends up in the REKEYING state for some reason.</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br></span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span>When it's stuck in the REKEYING state it has no Internet connectivity, can't be pinged from the server - but it is receiving DPD_ACK requests (I can see them being passed to and from the server<->client in
/var/log/messages).</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br></span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span>Any idea what's going on here?</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br></span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span>Thanks,</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br></span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span>H.</span></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;"><span><br></span></div><div class="ecxyahoo_quoted" style="display:block;"> <div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:12pt;"> <div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On
Tuesday, 27 May 2014, 11:37, Harry Stark <stark.harry@yahoo.co.uk> wrote:<br> </font> </div> <div class="ecxy_msg_container"><div id="ecxyiv0010662382"><div><div style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:12pt;"><div class="ecxyiv0010662382" style="">Hi,</div><div class="ecxyiv0010662382" style=""><br class="ecxyiv0010662382" style=""></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382">I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.</div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382">I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:</div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382">Ran ipsec statusall and received the following for the device:</div><div style="color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;background-color:transparent;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user[7294]: ESTABLISHED 8 minutes ago,
server.ip.addr[removed]…client.ip.addr[removed]</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user[7294]: Remote XAuth identity: id</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hours</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user{4638}: REKEYING, TUNNEL, expires in 51 minutes</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32 </div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user{4638}: INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user{4638}: AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104
pkts, 1s ago), 0 bytes_o, rekeying in 36 minutes</div><div style="background-color:transparent;" class="ecxyiv0010662382">radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32 </div><div style="background-color:transparent;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;" class="ecxyiv0010662382">So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.</div><div style="background-color:transparent;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382">I did a ipsec down on the user
which forced the device to reconnect and all was then fine.</div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382">Not sure where to look to solve this? Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection? I know this may be slower but their devices are pretty dumb!</div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><span style="background-color:transparent;" class="ecxyiv0010662382">Thanks,</span><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382">I'm running Centos 6 & Linux strongSwan
U5.1.3/K2.6.32-358.11.1.el6.x86_64</div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382">H.</div><div style="background-color:transparent;color:rgb(0, 0, 0);font-size:16px;font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-style:normal;" class="ecxyiv0010662382"><br class="ecxyiv0010662382" style=""></div></div></div></div><br>_______________________________________________<br>Dev mailing list<br><a href="mailto:Dev@lists.strongswan.org">Dev@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/dev" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a><br><br></div> </div> </div> </div> </div><br>_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev</div></div> </div></body>
</html>