[strongSwan] questions on syslog output; linux server/mac client RSA certificate auth

Cindy Moore ctmoore at cs.ucsd.edu
Fri Dec 19 07:55:53 CET 2014 

I seem to be getting a timeout somewehre within 30-40 minutes of the
initial connection.  I suppose it could be the racoon.conf bug that
first popped up in 10.6 and seems to get fixed/pop up again with each
new version, but it does not ask me to reauthenticate manually (as
most descriptions note) -- it just disconnects.

The full dump of info (syslog on server, system.log on client,
ipsec.conf) is here http://pastebin.ubuntu.com/9567163/

I note in particular (about line 150)

Dec 18 18:30:00 vpn charon: 02[NET] received packet: from [client
ip][40812] to [vpn ip][4500]
Dec 18 18:30:00 vpn charon: 02[NET] waiting for data on sockets
Dec 18 18:30:00 vpn charon: 12[NET] received packet: from [client
ip][40812] to [vpn ip][4500] (92 bytes)
Dec 18 18:30:00 vpn charon: 12[ENC] parsed INFORMATIONAL_V1 request
3455443078 [ HASH D ]
Dec 18 18:30:00 vpn charon: 12[IKE] received DELETE for IKE_SA
roadwarrior-ldap[6]
Dec 18 18:30:00 vpn charon: 12[IKE] deleting IKE_SA
roadwarrior-ldap[6] between [vpn ip][vpn.example.com]...[client
ip][C=US, O=ThatsUs, CN=ctmoore at example.com]
Dec 18 18:30:00 vpn charon: 12[IKE] IKE_SA roadwarrior-ldap[6] state
change: ESTABLISHED => DELETING
Dec 18 18:30:00 vpn charon: 12[IKE] IKE_SA roadwarrior-ldap[6] state
change: DELETING => DELETING


But the mac output (also in the pastebin link above) looks very
minimal.  Thoughts?  This otherwise works in every way apart from the
summary disconnect.

On Thu, Dec 18, 2014 at 5:40 PM, Cindy Moore <ctmoore at cs.ucsd.edu> wrote:
> Well, I found that switching to Cisco IPsec for the vpn type in the
> Mac vpn setup and just using xauth-pam worked.
>
> I'm torn between jumping up and down with joy and banging my head on the desk.
>
> The one thing I'm battling now is that it seems to drop the connection
> after about 30 minutes.  Is this a known thing?  I'm sitting on a
> connection now to get good syslog info.
>
> On Thu, Dec 18, 2014 at 12:32 AM, Martin Willi <martin at strongswan.org> wrote:
>> Cindy,
>>
>>> 15[CFG] looking for a child config for vpn_ip/32[udp/l2f] === client_ip/32[udp/62338]
>>>
>>> Looks for a child config, doesn't find one, what's going on here?
>>
>> Your client tries to negotiate a traffic selector for L2TP, most likely
>> because it is configured to use L2TP over IPsec. In this mode an L2TP
>> daemon handles the tunneling, strongSwan only protects the L2TP traffic.
>>
>> If you want to use plain IPsec, try to configure "Cisco IPsec" on your
>> Mac client. This mode uses IKEv1 with XAuth authentication, and is most
>> likely preferable.
>>
>>> Maybe I'm just being dense, but what is "Main Mode"?
>>
>> Main Mode is a Phase 1 exchange in IKEv1 to establish an ISAKMP-SA.
>>
>> I recommend to get some literature about IPsec and IKE; understanding
>> the basic concepts of these protocols is very helpful in configuring
>> strongSwan, especially if it comes to interoperability with other
>> software.
>>
>> Kind regards
>> Martin
>>

More information about the Users mailing list