[strongSwan] IKEv2 rekey failure with IOS8

Tom Matthews tom at axiom-partners.com
Thu Jul 23 17:35:48 CEST 2015


Hello all,

Getting repeatable failures on rekey using an Apple IOS8.3 device, even
worse, charon dies too (that bit may not be repeatable, I haven't checked
yet).

Can anyone suggest where I'm going wrong please?

# ipsec version
Linux strongSwan U5.3.2/K4.1.2

### /etc/ipsec.conf ###
config setup
       uniqueids=never
       charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        dpdaction=clear
        leftsendcert=always
        ike=aes256gcm128-sha256-modp4096!
        esp=aes256gcm128-sha256-modp4096!
        tfc=%mtu
        dpddelay=300s

conn IOS8
        keyexchange=ikev2
        leftid=hq.axiom-partners.com
        leftcert=VPNServerCert.pem
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=192.168.1.128/7
        rightdns=8.26.56.26,8.20.247.20
        dpdaction=clear
        auto=add

### /var/log/syslog ### - During initial connection
Jul 23 13:57:57 nibbler ipsec[8214]: 06[IKE] 213.205.251.25 is initiating
an IKE_SA
Jul 23 13:57:57 nibbler ipsec[8214]: 06[IKE] IKE_SA (unnamed)[1] state
change: CREATED => CONNECTING
Jul 23 13:57:57 nibbler ipsec[8214]: 06[CFG] selecting proposal:
Jul 23 13:57:57 nibbler ipsec[8214]: 06[CFG]   proposal matches
Jul 23 13:57:57 nibbler ipsec[8214]: 06[CFG] received proposals:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096
Jul 23 13:57:57 nibbler ipsec[8214]: 06[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
Jul 23 13:57:57 nibbler ipsec[8214]: 06[CFG] selected proposal:
IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096

### /var/log/syslog ### - During later rekey
Jul 23 14:40:16 nibbler charon: 07[KNL] creating rekey job for CHILD_SA
ESP/0x06c656c0/213.205.251.25
Jul 23 14:40:16 nibbler charon: 07[IKE] queueing CHILD_REKEY task
Jul 23 14:40:16 nibbler charon: 07[IKE] activating new tasks
Jul 23 14:40:16 nibbler charon: 07[IKE]   activating CHILD_REKEY task
Jul 23 14:40:16 nibbler charon: 07[IKE] establishing CHILD_SA IOS8{1}
Jul 23 14:40:16 nibbler charon: 07[CFG] proposing traffic selectors for us:
Jul 23 14:40:16 nibbler charon: 07[CFG]  0.0.0.0/0
Jul 23 14:40:16 nibbler charon: 07[CFG] proposing traffic selectors for
other:
Jul 23 14:40:16 nibbler charon: 07[CFG]  192.168.1.128/32
Jul 23 14:40:16 nibbler charon: 07[CFG] configured proposals:
ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
Jul 23 14:40:17 nibbler charon: 07[ENC] generating CREATE_CHILD_SA request
1 [ N(REKEY_SA) N(IPCOMP_SUP) SA No KE TSi TSr ]
Jul 23 14:40:17 nibbler charon: 07[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916] (728 bytes)
Jul 23 14:40:17 nibbler charon: 10[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916]
Jul 23 14:40:17 nibbler charon: 03[NET] received packet: from
213.205.251.25[64916] to 192.168.1.10[4500]
Jul 23 14:40:17 nibbler charon: 03[NET] waiting for data on sockets
Jul 23 14:40:17 nibbler charon: 16[NET] received packet: from
213.205.251.25[64916] to 192.168.1.10[4500] (168 bytes)
Jul 23 14:40:17 nibbler charon: 16[ENC] parsed CREATE_CHILD_SA response 1 [
SA No TSi TSr ]
Jul 23 14:40:17 nibbler charon: 16[IKE] peer didn't accept our proposed
IPComp transforms, IPComp is disabled
Jul 23 14:40:17 nibbler charon: 16[CFG] selecting proposal:
Jul 23 14:40:17 nibbler charon: 16[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Jul 23 14:40:17 nibbler charon: 16[CFG] received proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ
Jul 23 14:40:17 nibbler charon: 16[CFG] configured proposals:
ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
Jul 23 14:40:17 nibbler charon: 16[IKE] no acceptable proposal found
Jul 23 14:40:17 nibbler charon: 16[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Jul 23 14:40:17 nibbler charon: 16[IKE] reinitiating already active tasks
Jul 23 14:40:17 nibbler charon: 16[IKE]   CHILD_REKEY task
Jul 23 14:40:17 nibbler charon: 16[ENC] generating INFORMATIONAL request 2
[ N(REKEY_SA) ]
Jul 23 14:40:17 nibbler charon: 16[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916] (69 bytes)
Jul 23 14:40:17 nibbler charon: 10[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916]
Jul 23 14:40:17 nibbler charon: 03[NET] received packet: from
213.205.251.25[64916] to 192.168.1.10[4500]
Jul 23 14:40:17 nibbler charon: 03[NET] waiting for data on sockets
Jul 23 14:40:17 nibbler charon: 14[NET] received packet: from
213.205.251.25[64916] to 192.168.1.10[4500] (72 bytes)
Jul 23 14:40:17 nibbler charon: 14[ENC] parsed INFORMATIONAL request 17 [ D
]
Jul 23 14:40:17 nibbler charon: 14[IKE] received DELETE for IKE_SA IOS8[1]
Jul 23 14:40:17 nibbler charon: 14[IKE] deleting IKE_SA IOS8[1] between
192.168.1.10[hq.axiom-partners.com]...213.205.251.25[
orangutan at axiom-partners.com]
Jul 23 14:40:17 nibbler charon: 14[IKE] IKE_SA IOS8[1] state change:
ESTABLISHED => DELETING
Jul 23 14:40:17 nibbler charon: 14[IKE] IKE_SA deleted
Jul 23 14:40:17 nibbler charon: 14[ENC] generating INFORMATIONAL response
17 [ ]
Jul 23 14:40:17 nibbler charon: 14[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916] (57 bytes)
Jul 23 14:40:17 nibbler charon: 14[DMN] thread 14 received 11
Jul 23 14:40:17 nibbler charon: 10[NET] sending packet: from
192.168.1.10[4500] to 213.205.251.25[64916]
Jul 23 14:40:17 nibbler charon: 14[LIB]  dumping 2 stack frame addresses:
Jul 23 14:40:17 nibbler charon: 14[LIB]   linux-gate.so.1 @ 0xb7727000
(__kernel_sigreturn+0x0) [0xb7727b3c]
Jul 23 14:40:17 nibbler ipsec[8214]: 09[CFG]  192addr2line:
'linux-gate.so.1': No such file
Jul 23 14:40:17 nibbler charon: 14[LIB]     ->
Jul 23 14:40:17 nibbler charon: 14[LIB]     [0xae800830]
Jul 23 14:40:17 nibbler ipsec[8214]: dumping 2 stack frame addresses:
Jul 23 14:40:17 nibbler ipsec[8214]: linux-gate.so.1 @ 0xb7727000
(__kernel_sigreturn+0x0) [0xb7727b3c]
Jul 23 14:40:17 nibbler ipsec[8214]: addr2line: 'linux-gate.so.1': No such
file
Jul 23 14:40:17 nibbler ipsec[8214]: ->
Jul 23 14:40:17 nibbler ipsec[8214]: [0xae800830]
Jul 23 14:40:17 nibbler charon: 14[DMN] killing ourself, received critical
signal

Kind regards,
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150723/4bb413f3/attachment.html>


More information about the Users mailing list