[strongSwan] [strongSwan-dev] Road warrior stuck in rekeying state

joshua grossjo2 at hotmail.com
Wed Jun 4 16:36:04 CEST 2014

I just wanted to chime in that I am also seeing this issue.
Stack detailsstrongSwan 5.0.4, Linux 3.8.0-29-generic, x86_64x509 certs + xauthUbuntu 12.04
Iphone 4siOS 7

Joshua J. Gross

Date: Tue, 3 Jun 2014 16:14:40 +0100
From: stark.harry at yahoo.co.uk
To: stark.harry at yahoo.co.uk; dev at lists.strongswan.org; Users at lists.strongswan.org
Subject: Re: [strongSwan-dev] Road warrior stuck in rekeying state

Dug a little deeper and tried disabling rekeying but the iPhone still ends up in the REKEYING state for some reason.
When it's stuck in the REKEYING state it has no Internet connectivity, can't be pinged from the server - but it is receiving DPD_ACK requests (I can see them being passed to and from the server<->client in
Any idea what's going on here?
 Tuesday, 27 May 2014, 11:37, Harry Stark <stark.harry at yahoo.co.uk> wrote:
    Hi,I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:Ran ipsec statusall and received the following for the device:radius-user[7294]: ESTABLISHED 8 minutes ago,
 server.ip.addr[removed]…client.ip.addr[removed]radius-user[7294]: Remote XAuth identity: idradius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hoursradius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024radius-user{4638}:  REKEYING, TUNNEL, expires in 51 minutesradius-user{4638}: === radius-user{4638}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_oradius-user{4638}:  AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104
 pkts, 1s ago), 0 bytes_o, rekeying in 36 minutesradius-user{4638}: === So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.I did a ipsec down on the user
 which forced the device to reconnect and all was then fine.Not sure where to look to solve this?  Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection?  I know this may be slower but their devices are pretty dumb!Thanks,I'm running Centos 6 & Linux strongSwan
Dev mailing list
Dev at lists.strongswan.org

Dev mailing list
Dev at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140604/66e4191f/attachment.html>

More information about the Users mailing list