[strongSwan] Road warrior stuck in rekeying state

Harry Stark stark.harry at yahoo.co.uk
Tue May 27 12:37:26 CEST 2014


I've a problem with iPhone users that sometime have no Internet connectivity when re-connecting.

I've just managed to reproduce the issue myself and found that the device was stuck in a rekeying state:

Ran ipsec statusall and received the following for the device:

radius-user[7294]: ESTABLISHED 8 minutes ago, server.ip.addr[removed]…client.ip.addr[removed]
radius-user[7294]: Remote XAuth identity: id
radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public key reauthentication in 2 hours
radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
radius-user{4638}:  REKEYING, TUNNEL, expires in 51 minutes
radius-user{4638}: === 
radius-user{4638}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o
radius-user{4638}:  AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104 pkts, 1s ago), 0 bytes_o, rekeying in 36 minutes
radius-user{4638}: === 

So the tunnel was setup correctly but the device was not able to be ping'ed or receive any data at all and just stuck there in the REKEYING state.

I did a ipsec down on the user which forced the device to reconnect and all was then fine.

Not sure where to look to solve this?  Is there a setting I can enable to disable all REKEYING so I can force all my iPhone users to do a full re-auth every connection?  I know this may be slower but their devices are pretty dumb!


I'm running Centos 6 & Linux strongSwan U5.1.3/K2.6.32-358.11.1.el6.x86_64

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140527/b704d2be/attachment.html>

More information about the Users mailing list