[strongSwan] Road warrior stuck in rekeying state
Harry Stark
stark.harry at yahoo.co.uk
Tue May 27 12:37:26 CEST 2014
Hi,
I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.
I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:
Ran ipsec statusall and received the following for the device:
radius-user[7294]: ESTABLISHED 8 minutes ago, server.ip.addr[removed]…client.ip.addr[removed]
radius-user[7294]: Remote XAuth identity: id
radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hours
radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
radius-user{4638}: REKEYING, TUNNEL, expires in 51 minutes
radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32
radius-user{4638}: INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o
radius-user{4638}: AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104 pkts, 1s ago), 0 bytes_o, rekeying in 36 minutes
radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32
So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.
I did a ipsec down on the user which forced the device to reconnect and all was then fine.
Not sure where to look to solve this? Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection? I know this may be slower but their devices are pretty dumb!
Thanks,
I'm running Centos 6 & Linux strongSwan U5.1.3/K2.6.32-358.11.1.el6.x86_64
H.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140527/b704d2be/attachment.html>
More information about the Users
mailing list