[strongSwan] Same config for strongSwan, different outcome between Android and iOS
Tobias Brunner
tobias at strongswan.org
Tue Jul 5 11:59:23 CEST 2016
Hi Laurens,
>>> openssl:
>>> ...
>>> DH:ECP_256
>>> ...
>>
>> Ah yes. It's because the default IKE proposal in versions before 5.4.0
>> listed ECP_256 after MODP_2048 and the server always preferred its own
>> proposals (this can be changed with the upcoming 5.5.0 release). So it
>> insists on using MODP_2048 even if it supports ECP_256.
>
> I can just ignore this for now?
Probably, I currently don't see how this could cause the problem (unless
e.g. your NAT router does something strange). But you could also try to
configure a different IKE proposal (one that lists ecp256 before modp2048).
>>> I've added 'fragmentation=yes' to the server, same issue.
>>
>> Please have a look at the client log. Does it send an IKE_AUTH
>> message?
>> Is it fragmented? If so, check with Wireshark/tcpdump on the server
>> whether any packets arrive.
>
> I can send log files from working & non working sessions.
If you have server and client logs of a working and a non-working
session that might help. The server log of a working session with the
iPhone might be useful too.
>>> and the Android phone (which almost always fails)
>>
>> What do you mean "almost always"?
>
> It works _sometimes_. From my point of view, there's nothing different
> between when it works and when it doesn't work... What is strange here
> is that using my iPhone on my home wifi always works. Using Android (I
> have 2 Android different phones, same issue), this rarely works.
That really sounds strange.
Regards,
Tobias
More information about the Users
mailing list