[strongSwan] deleting half open IKE_SA after timeout

Martin Willi martin at strongswan.org
Fri Feb 27 15:50:07 CET 2015

Hi Denis

> 07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 07[NET] sending packet: from[4500] to[39592] (1660 bytes)
> 07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ]
> 07[NET] sending packet: from[4500] to[39592] (76 bytes)
> 10[IKE] sending retransmit 1 of request message ID 2234314252, seq 1

strongSwan requests XAuth authentication from the client, but the client
does not seem to answer. Either it does not get the message, the user is
not entering the credentials in time, or more likely, it does not expect
an XAuth username/password request.

Most likely your client is not configured to do XAuth, or it is one of
those clients that want to skip XAuth authentication during the ISAKMP
reauthentication procedure (iOS, OS X). We strictly require that, as we
think just skipping XAuth is a security issue.


More information about the Users mailing list