[strongSwan] [strongSwan-dev] Road warrior stuck in rekeying state

Harry Stark stark.harry at yahoo.co.uk
Tue Jun 3 17:14:40 CEST 2014

Dug a little deeper and tried disabling rekeying but the iPhone still ends up in the REKEYING state for some reason.

When it's stuck in the REKEYING state it has no Internet connectivity, can't be pinged from the server - but it is receiving DPD_ACK requests (I can see them being passed to and from the server<->client in /var/log/messages).

Any idea what's going on here?



On Tuesday, 27 May 2014, 11:37, Harry Stark <stark.harry at yahoo.co.uk> wrote:

I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.

I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:

Ran ipsec statusall and received the following for the device:

radius-user[7294]: ESTABLISHED 8 minutes ago, server.ip.addr[removed]…client.ip.addr[removed]
radius-user[7294]: Remote XAuth identity: id
radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hours
radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
radius-user{4638}:  REKEYING, TUNNEL, expires in 51 minutes
radius-user{4638}: === 
radius-user{4638}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o
radius-user{4638}:  AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104 pkts, 1s ago), 0 bytes_o, rekeying in 36 minutes
radius-user{4638}: === 

So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.

I did a ipsec down on the user which forced the device to reconnect and all was then fine.

Not sure where to look to solve this?  Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection?  I know this may be slower but their devices are pretty dumb!


I'm running Centos 6 & Linux strongSwan U5.1.3/K2.6.32-358.11.1.el6.x86_64


Dev mailing list
Dev at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140603/6c0fdabb/attachment.html>

More information about the Users mailing list