[strongSwan] iPhone issue

Harry Stark stark.harry at yahoo.co.uk
Mon Apr 28 13:05:20 CEST 2014


Hi,

I am connecting an iPhone to a strongswan instance (U5.0.4/K2.6.32-358.11.1.el6.x86_64)... which works fine almost all of the time, but for some reason I am now getting this error from the client side (On the iPhone):

racoon[7861] <Error>: the length in the isakmp header is too big.

racoon[7861] <Error>: the length in the isakmp header is too big.

racoon[7861] <Error>: the length in the isakmp header is too big.


With no data access at all.

The connection log looks like this from the server side:

Apr 28 11:57:50 hserver-ip charon: 12[NET] received packet: from server.ip.addr[58943] to client.ip.addr[500] (668 bytes)
Apr 28 11:57:50 hserver-ip charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received XAuth vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received Cisco Unity vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received FRAGMENTATION vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] received DPD vendor ID
Apr 28 11:57:50 hserver-ip charon: 12[IKE] server.ip.addr is initiating a Main Mode IKE_SA
Apr 28 11:57:50 hserver-ip charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr 28 11:57:50 hserver-ip charon: 12[NET] sending packet: from client.ip.addr[500] to server.ip.addr[58943] (136 bytes)
Apr 28 11:57:50 hserver-ip charon: 13[NET] received packet: from server.ip.addr[58943] to client.ip.addr[500] (228 bytes)
Apr 28 11:57:50 hserver-ip charon: 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 28 11:57:50 hserver-ip charon: 13[IKE] remote host is behind NAT
Apr 28 11:57:50 hserver-ip charon: 13[IKE] sending cert request for "[details]"
Apr 28 11:57:50 hserver-ip charon: 13[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr 28 11:57:50 hserver-ip charon: 13[NET] sending packet: from client.ip.addr[500] to server.ip.addr[58943] (418 bytes)
Apr 28 11:57:50 hserver-ip charon: 10[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (1436 bytes)
Apr 28 11:57:50 hserver-ip charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Apr 28 11:57:50 hserver-ip charon: 10[IKE] ignoring certificate request without data
Apr 28 11:57:50 hserver-ip charon: 10[IKE] received end entity cert "[details]"
Apr 28 11:57:50 hserver-ip charon: 10[CFG] looking for XAuthInitRSA peer configs matching client.ip.addr...server.ip.addr[[details]]
Apr 28 11:57:50 hserver-ip charon: 10[CFG] selected peer config "auth peer"
Apr 28 11:57:50 hserver-ip charon: 10[CFG]   using certificate "[details]"
Apr 28 11:57:50 hserver-ip charon: 10[CFG]   using trusted ca certificate "[details]"
Apr 28 11:57:50 hserver-ip charon: 10[CFG] checking certificate status of "[details]"
Apr 28 11:57:50 hserver-ip charon: 10[CFG] certificate status is not available
Apr 28 11:57:50 hserver-ip charon: 10[CFG]   reached self-signed root ca with a path length of 0
Apr 28 11:57:50 hserver-ip charon: 10[IKE] authentication of '[details]' with RSA successful
Apr 28 11:57:50 hserver-ip charon: 10[IKE] authentication of '[details]' (myself) successful
Apr 28 11:57:50 hserver-ip charon: 10[IKE] sending end entity cert "[details]"
Apr 28 11:57:50 hserver-ip charon: 10[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Apr 28 11:57:50 hserver-ip charon: 10[NET] sending packet: from client.ip.addr[4500] to server.ip.addr[58943] (1484 bytes)
Apr 28 11:57:50 hserver-ip charon: 10[ENC] generating TRANSACTION request 3957482274 [ HASH CP ]
Apr 28 11:57:50 hserver-ip charon: 10[NET] sending packet: from client.ip.addr[4500] to server.ip.addr[58943] (76 bytes)
Apr 28 11:57:51 hserver-ip charon: 09[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (92 bytes)
Apr 28 11:57:51 hserver-ip charon: 09[ENC] parsed TRANSACTION response 3957482274 [ HASH CP ]
Apr 28 11:57:51 hserver-ip charon: 09[IKE] XAuth authentication of 'user ref' successful
Apr 28 11:57:51 hserver-ip charon: 09[ENC] generating TRANSACTION request 1139733046 [ HASH CP ]
Apr 28 11:57:51 hserver-ip charon: 09[NET] sending packet: from client.ip.addr[4500] to server.ip.addr[58943] (76 bytes)
Apr 28 11:57:51 hserver-ip charon: 14[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (76 bytes)
Apr 28 11:57:51 hserver-ip charon: 14[ENC] parsed TRANSACTION response 1139733046 [ HASH CP ]
Apr 28 11:57:51 hserver-ip charon: 14[IKE] IKE_SA ios-user-ref[13] established between client.ip.addr[[details]]
Apr 28 11:57:51 hserver-ip charon: 14[IKE] scheduling reauthentication in 9976s
Apr 28 11:57:51 hserver-ip charon: 14[IKE] maximum IKE_SA lifetime 10516s
Apr 28 11:57:51 hserver-ip charon: 15[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (172 bytes)
Apr 28 11:57:51 hserver-ip charon: 15[ENC] unknown attribute type (28683)
Apr 28 11:57:51 hserver-ip charon: 15[ENC] parsed TRANSACTION request 582035330 [ HASH CP ]
Apr 28 11:57:51 hserver-ip charon: 15[IKE] peer requested virtual IP %any
Apr 28 11:57:51 hserver-ip charon: 15[CFG] reassigning offline lease to 'user-ref'
Apr 28 11:57:51 hserver-ip charon: 15[IKE] assigning virtual IP 10.0.1.153 to peer 'user ref'
Apr 28 11:57:51 hserver-ip charon: 15[ENC] generating TRANSACTION response 582035330 [ HASH CP ]
Apr 28 11:57:51 hserver-ip charon: 15[NET] sending packet: from client.ip.addr[4500] to server.ip.addr[58943] (92 bytes)
Apr 28 11:57:51 hserver-ip charon: 12[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (300 bytes)
Apr 28 11:57:51 hserver-ip charon: 12[ENC] parsed QUICK_MODE request 3381591487 [ HASH SA No ID ID ]
Apr 28 11:57:51 hserver-ip charon: 12[ENC] generating QUICK_MODE response 3381591487 [ HASH SA No ID ID ]
Apr 28 11:57:51 hserver-ip charon: 12[NET] sending packet: from client.ip.addr[4500] to server.ip.addr[58943] (172 bytes)
Apr 28 11:57:51 hserver-ip charon: 13[NET] received packet: from server.ip.addr[58943] to client.ip.addr[4500] (60 bytes)
Apr 28 11:57:51 hserver-ip charon: 13[ENC] parsed QUICK_MODE request 3381591487 [ HASH ]
Apr 28 11:57:51 hserver-ip charon: 13[IKE] CHILD_SA ios-user-ref{8} established with SPIs c589dd40_i 098b2775_o and TS 0.0.0.0/0 === 10.0.1.153/32

Any ideas what is going wrong?

Thanks!

H.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140428/b8199ef0/attachment-0001.html>


More information about the Users mailing list