[strongSwan] Delay in authentication from iOS devices

Harry Stark stark.harry at yahoo.co.uk
Thu Apr 17 15:06:29 CEST 2014 

Hi All,

We are using authentication via certificates and xauth for our iOS users and quite often there is a very long delay just after the exchange of certificates, where it sticks for 4 seconds (The default timeout) before having to retransmit the data.

We did try using an aggressive mode setup for this type of connection which improved the setup time but one one very large NAT'd network wouldn't work at all, so we switched back to this.

Any ideas on why it keeps hanging and having to resend the packet?

Thanks!

Apr 17 12:38:22 server-ip charon: 10[NET] received packet: from remote.ip[32167] to server.ip[500] (668 bytes)
Apr 17 12:38:22 server-ip charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 17 12:38:22 server-ip charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received XAuth vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received Cisco Unity vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received FRAGMENTATION vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] received DPD vendor ID
Apr 17 12:38:22 server-ip charon: 10[IKE] remote.ip is initiating a Main Mode IKE_SA
Apr 17 12:38:22 server-ip charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr 17 12:38:22 server-ip charon: 10[NET] sending packet: from server.ip[500] to remote.ip[32167] (136 bytes)
Apr 17 12:38:22 server-ip charon: 15[NET] received packet: from remote.ip[32167] to server.ip[500] (228 bytes)
Apr 17 12:38:22 server-ip charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 17 12:38:22 server-ip charon: 15[IKE] remote host is behind NAT
Apr 17 12:38:22 server-ip charon: 15[IKE] sending cert request for "-----hidden----"
Apr 17 12:38:22 server-ip charon: 15[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 17 12:38:22 server-ip charon: 15[NET] sending packet: from server.ip[500] to remote.ip[32167] (418 bytes)
Apr 17 12:38:22 server-ip charon: 12[NET] received packet: from remote.ip[16523] to server.ip[4500] (1436 bytes)
Apr 17 12:38:22 server-ip charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 17 12:38:22 server-ip charon: 12[IKE] ignoring certificate request without data
Apr 17 12:38:22 server-ip charon: 12[IKE] received end entity cert "---hidden---"
Apr 17 12:38:22 server-ip charon: 12[CFG] looking for XAuthInitRSA peer configs matching ----hidden---]
Apr 17 12:38:22 server-ip charon: 12[CFG] selected peer config "---hidden---"
Apr 17 12:38:22 server-ip charon: 12[CFG]   using certificate "---hidden"
Apr 17 12:38:22 server-ip charon: 12[CFG]   using trusted ca certificate "---hidden---"
Apr 17 12:38:22 server-ip charon: 12[CFG] checking certificate status of "---hidden---"
Apr 17 12:38:22 server-ip charon: 12[CFG] certificate status is not available
Apr 17 12:38:22 server-ip charon: 12[CFG]   reached self-signed root ca with a path length of 0
Apr 17 12:38:22 server-ip charon: 12[IKE] authentication of '---hidden---' with RSA successful
Apr 17 12:38:22 server-ip charon: 12[IKE] authentication of '---hidden---' (myself) successful
Apr 17 12:38:22 server-ip charon: 12[IKE] sending end entity cert "---hidden---"
Apr 17 12:38:22 server-ip charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (1484 bytes)
Apr 17 12:38:22 server-ip charon: 12[ENC] generating TRANSACTION request 2130590094 [ HASH CP ]
Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (76 bytes)

[THIS IS WHERE THE DELAY HAPPENS]


Apr 17 12:38:26 server-ip charon: 09[IKE] sending retransmit 1 of request message ID 2130590094, seq 1
Apr 17 12:38:26 server-ip charon: 09[NET] sending packet: from server.ip[4500] to remote.ip[16523] (76 bytes)
Apr 17 12:38:26 server-ip charon: 13[NET] received packet: from remote.ip[16523] to server.ip[4500] (92 bytes)
Apr 17 12:38:26 server-ip charon: 13[ENC] parsed TRANSACTION response 2130590094 [ HASH CP ]
Apr 17 12:38:26 server-ip charon: 13[IKE] XAuth authentication of '--hidden-' successful

The rest of the setup goes fine from this point onwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140417/ced8da85/attachment.html>

More information about the Users mailing list