[strongSwan] Delay in authentication from iOS devices

Harry Stark stark.harry at yahoo.co.uk
Thu Apr 17 17:18:49 CEST 2014


Thanks, looked into that... looks interesting.

Tried the delay at 50ms and was still getting it happening (Hard to tell if it's as often)... so then tried upping it to 100ms and it's still happening (Possibly less though)...

Apr 17 16:11:35 server-ip charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Apr 17 16:11:35 server-ip charon: 12[NET] sending packet: from server.ip[4500] to client.ip[15042] (1484 bytes)
Apr 17 16:11:35 server-ip charon: 12[ENC] generating TRANSACTION request 1658042143 [ HASH CP ]
Apr 17 16:11:35 server-ip charon: 12[NET] sending packet: from server.ip[4500] to client.ip[15042] (76 bytes)
Apr 17 16:11:35 server-ip charon: 12[NET] using send delay: 100ms
Apr 17 16:11:40 server-ip charon: 11[IKE] sending retransmit 1 of request message ID 1658042143, seq 1
Apr 17 16:11:40 server-ip charon: 11[NET] sending packet: from server.ip[4500] to client.ip[15042] (76 bytes)
Apr 17 16:11:40 server-ip charon: 11[NET] using send delay: 100ms
Apr 17 16:11:40 server-ip charon: 09[NET] received packet: from client.ip[15042] to server.ip[4500] (92 bytes)
Apr 17 16:11:40 server-ip charon: 09[ENC] parsed TRANSACTION response 1658042143 [ HASH CP ]
Apr 17 16:11:40 server-ip charon: 09[IKE] XAuth authentication of '--hidden--' successful
Apr 17 16:11:40 server-ip charon: 09[ENC] generating TRANSACTION request 2065541666 [ HASH CP ]
Apr 17 16:11:40 server-ip charon: 09[NET] sending packet: from server.ip[4500] to client.ip[15042] (76 bytes)
Apr 17 16:11:40 server-ip charon: 09[NET] using send delay: 100ms
Apr 17 16:11:40 server-ip charon: 14[NET] received packet: from client.ip[15042] to server.ip[4500] (76 bytes)
Apr 17 16:11:40 server-ip charon: 14[ENC] parsed TRANSACTION response 2065541666 [ HASH CP ]

Is there a way to cut out the xauth entirely and just rely on the certificates to auth?  Would that speed it up and help?

On Thursday, 17 April 2014, 14:17, Martin Willi <martin at strongswan.org> wrote:
 
Hi Harry,

> Apr 17 12:38:22 server-ip charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (1484 bytes)
> Apr 17 12:38:22 server-ip charon: 12[ENC] generating TRANSACTION request 2130590094 [ HASH CP ]
> Apr 17 12:38:22 server-ip charon: 12[NET] sending packet: from server.ip[4500] to remote.ip[16523] (76 bytes)
> 
> [THIS IS WHERE THE DELAY HAPPENS]

Likely that the smaller TRANSACTION request arrives before the ID_PROT
response of Main Mode, but your (raccoon) iOS client can't handle it and
waits for the retransmit.

Have a look at the discussion and the work-around suggested at [1], this
might work here as well.

Regards
Martin


[1]https://lists.strongswan.org/pipermail/users/2014-April/005961.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140417/8df4ea79/attachment-0001.html>


More information about the Users mailing list