[strongSwan] Same config for strongSwan, different outcome between Android and iOS

Tobias Brunner tobias at strongswan.org
Tue Jul 5 11:59:23 CEST 2016


Hi Laurens,

>>> openssl:
>>> ...
>>>      DH:ECP_256
>>> ...
>>
>> Ah yes.  It's because the default IKE proposal in versions before 5.4.0
>> listed ECP_256 after MODP_2048 and the server always preferred its own
>> proposals (this can be changed with the upcoming 5.5.0 release).  So it
>> insists on using MODP_2048 even if it supports ECP_256.
> 
> I can just ignore this for now?

Probably, I currently don't see how this could cause the problem (unless
e.g. your NAT router does something strange).  But you could also try to
configure a different IKE proposal (one that lists ecp256 before modp2048).

>>> I've added 'fragmentation=yes' to the server, same issue.
>>
>> Please have a look at the client log.  Does it send an IKE_AUTH 
>> message?
>>  Is it fragmented?  If so, check with Wireshark/tcpdump on the server
>> whether any packets arrive.
> 
> I can send log files from working & non working sessions.

If you have server and client logs of a working and a non-working
session that might help.  The server log of a working session with the
iPhone might be useful too.

>>> and the Android phone (which almost always fails)
>>
>> What do you mean "almost always"?
> 
> It works _sometimes_. From my point of view, there's nothing different 
> between when it works and when it doesn't work... What is strange here 
> is that using my iPhone on my home wifi always works. Using Android (I 
> have 2 Android different phones, same issue), this rarely works.

That really sounds strange.

Regards,
Tobias



More information about the Users mailing list