<div dir="ltr"><div dir="ltr"><div>Hi Tobias,</div><div><br></div><div>Thanks for your answer. The phone indicates the invalid value of SQN, see the logs below:</div><div><br></div><div>04-20 13:23:11.242 1000 5204 5247 I eris : 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>04-20 13:23:11.242 1000 5204 5247 I eris : 14[DMN] simID : 0<br>04-20 13:23:11.316 1000 5204 5247 I eris : 14[LIB] rossoneri get_quintuplet() EC_USIM_SYNC_FAILED<br>04-20 13:23:11.316 1000 5204 5247 I eris : 14[LIB] rossoneri: resync()<br><b>04-20 13:23:11.316 1000 5204 5247 I eris : 14[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE</b><br>04-20 13:23:11.317 1000 5204 5247 I eris : 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ]<br>04-20 13:23:11.317 1000 5204 5247 I eris : 14[NET] sending packet: from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)<br>04-20 13:23:11.344 1000 5204 5257 I eris : 15[NET] received packet: from 192.168.137.194[4500] to 192.168.137.201[38316] (220 bytes)<br>04-20 13:23:11.344 1000 5204 5257 I eris : 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/AKA ]<br>04-20 13:23:11.344 1000 5204 5257 I eris : 15[DMN] simID : 0<br>04-20 13:23:11.414 1000 5204 5257 I eris : 15[LIB] rossoneri get_quintuplet() EC_USIM_SYNC_FAILED<br>04-20 13:23:11.414 1000 5204 5257 I eris : 15[LIB] rossoneri: resync()<br>04-20 13:23:11.414 1000 5204 5257 I eris : 15[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE<br>04-20 13:23:11.415 1000 5204 5257 I eris : 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/AKA ]<br>04-20 13:23:11.415 1000 5204 5257 I eris : 15[NET] sending packet: from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes)<br>04-20 13:23:11.446 1000 5204 5247 I eris : 14[NET] received packet: from 192.168.137.194[4500] to 192.168.137.201[38316] (76 bytes)<br>04-20 13:23:11.446 1000 5204 5247 I eris : 14[ENC] parsed IKE_AUTH response 4 [ EAP/FAIL ]<br>04-20 13:23:11.447 1000 5204 5247 I eris : 14[IKE] received EAP_FAILURE, EAP authentication failed</div><div><br></div><div>Unfortunately, I am not able to get more detailed logs.</div><div><br></div><div>Regarding the plugin, I'm using eap-aka-3gpp, as it provides support for Milenage algorithm (the eap-aka-3gpp2 didn't work for me). Do you think that the EPDG (strongswan) have been resynchronized? And because of time-based SQN generation it generates the invalid SQN? How we could fix it potentially?</div><div><br></div><div>Regards,</div><div>Tomek<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">śr., 24 kwi 2019 o 10:21 Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Tomek,<br>
<br>
> However, the<br>
> phone didn't accept the new AUTN and sent synchronization failure again.<br>
<br>
Does it report the reason why it does so?<br>
<br>
> Do you have any idea why the phone is sending the<br>
> AKA_SYNCHRONIZATION_FAILURE?<br>
<br>
No. You should really check the logs there to see why it does.<br>
<br>
> In meanwhile, I was changing some<br>
> configuration parameters to deal with another issue. Can this issue be<br>
> caused by some configuration parameter?<br>
<br>
Maybe. Without knowing what you changed it's hard to tell.<br>
<br>
Which plugin are you using on the server? Because I noticed that the<br>
eap-aka-3gpp2 plugin (as compared to the eap-aka-3gpp plugin) does not<br>
increase SQN with each get_quintuplet() call, which seems like a bug.<br>
However, that should not have an effect right after the resync as that<br>
explicitly sets SQN to the supplied value + 1. And I also saw that both<br>
plugins use a global, non-persistent and initially time-based SQN, which<br>
might not work well with multiple clients (in particularly if they<br>
connect concurrently and/or resync). So I guess these two plugins are<br>
really only intended for testing.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div>