[strongSwan] deleting half open IKE_SA after timeout

Denis Zinevich link at ngc.net.ua
Fri Feb 27 16:05:20 CET 2015


Hello Martin,

same client connects to other servers successfully, with same credentials. After I change server name - connection fails.
and this happend only with one particular server, so according to your explanation either client didn't get XAuth request or server didn't get reply.
I've just tried to compare tcpdumps from two machines (good and bad ones) and thet look similar except one string (with  ip-proto-17)

14:44:09.253366 IP 46.211.137.122.44028 > 179.179.179.179.500: isakmp: phase 1 I ident
14:44:09.254387 IP 179.179.179.179.500 > 46.211.137.122.44028: isakmp: phase 1 R ident
.......
14:44:12.269561 IP 46.211.137.122.43918 > 179.179.179.179.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:44:12.274524 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 1 R ident[E]
14:44:12.274536 IP 179.179.179.179 > 46.211.137.122: ip-proto-17
14:44:12.274554 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 2/others R #6[E]
14:44:13.177956 IP 46.211.137.122.43918 > 179.179.179.179.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:44:13.178322 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 1 R ident[E]
14:44:13.178334 IP 179.179.179.179 > 46.211.137.122: ip-proto-17
14:44:16.274884 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 2/others R #6[E]
14:44:16.997719 IP 46.211.137.122.43918 > 179.179.179.179.4500: NONESP-encap: isakmp: phase 1 I ident[E]
14:44:16.998089 IP 179.179.179.179.4500 > 46.211.137.122.43918: NONESP-encap: isakmp: phase 1 R ident[E]
14:44:16.998100 IP 179.179.179.179 > 46.211.137.122: ip-proto-17

Thanks for your help, looks like network issue, will digg in that direction.

27.02.2015, 16:50, "Martin Willi" <martin at strongswan.org>:
> Hi Denis
>>  07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
>>  07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592] (1660 bytes)
>>  07[ENC] generating TRANSACTION request 2234314252 [ HASH CPRQ(X_USER X_PWD) ]
>>  07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592] (76 bytes)
>>  10[IKE] sending retransmit 1 of request message ID 2234314252, seq 1
>
> strongSwan requests XAuth authentication from the client, but the client
> does not seem to answer. Either it does not get the message, the user is
> not entering the credentials in time, or more likely, it does not expect
> an XAuth username/password request.
>
> Most likely your client is not configured to do XAuth, or it is one of
> those clients that want to skip XAuth authentication during the ISAKMP
> reauthentication procedure (iOS, OS X). We strictly require that, as we
> think just skipping XAuth is a security issue.
>
> Regards
> Martin


More information about the Users mailing list