[strongSwan] StrongSwan - Mac OS X IPsec tunnel stops forwarding traffic
Ken Nelson
ken at cazena.com
Thu Mar 5 23:57:31 CET 2015
Hi Martin,
Thanks for the reply. I’m a little confused by your comment that the OS X native client does not support re-sending XAuth credentials as the log indicates a re-authentication of the remote client:
Mar 4 16:21:21 secgw charon: 14[IKE] PAM authentication of 'knelson' successful
Mar 4 16:21:21 secgw charon: 14[IKE] XAuth authentication of 'knelson' successful
This occurred about 12 minutes before the tunnel stopped forwarding traffic.
I willing to continue to pursue this by running additional tests and produce more succinct log output unless it’s absolutely certain that XAuth can not be made to work using the native Mac client. If you have any recommended debug settings or other things to watch for, please reply.
I’m am also willing to try other Mac clients. The only Open Source one I can find is using the StrongSwan OS X app or installing SS via Homebrew. I can not (yet) get the OS X app to connect so if there are any configuration examples for this, please reply with a reference. I have successfully gotten a Linux StrongSwan client to connect using IKEv2 & EAP-GTC authentication, but have not yet tried this with the Homebrew installed StrongSwan on OS X.
Are there any other recommended Open Source IPsec clients? Shrew does not support OS X and SoftEther does not recommend using their OS X client.
Thx again for your help,
Ken
> On Mar 5, 2015, at 2:54 AM, Martin Willi <martin at strongswan.org> wrote:
>
> Hi,
>
>> StrongSwan V5.2.0 is configured to be an IPsec VPN gateway on a Linux
>> machine. A Mac laptop connects to it using the native Mac OS X
>> v10.10.2 Cisco IPsec VPN client. The connection is established and
>> works well for roughly 6,516 seconds (1 hour, 48 minutes, 36 seconds;
>> or ~108 minutes) at which point the tunnel stops forwarding traffic.
>
> As your strongSwan log is (too) verbose, your syslogger starts dropping
> messages. Please reduce your log verbosity to the default level, and if
> your syslogger still drops messages, directly log to a file.
>
> Without looking further at your log, most likely you are seeing the
> usual re-authentication issue with the native OS X client. Usually this
> happens a little sooner, though, but have a look at the discussion at
> [1].
>
> We strictly require an XAuth exchange during ISAKMP re-authentication;
> the native OS X client does not support that. We can't/won't support
> just skipping XAuth, but think this is a (security) bug in the OS X
> client. Unfortunately, Apple seems to think differently.
>
> A work-around is to switch to xauth-noauth, and solely rely on the
> client certificate for authentication. If that is not an option, you
> should consider a different client.
>
> Regards
> Martin
>
> [1]https://lists.strongswan.org/pipermail/users/2013-February/004254.html
>
More information about the Users
mailing list