[strongSwan] Same config for strongSwan, different outcome between Android and iOS

Laurens Vets laurens at daemon.be
Fri Jul 8 03:14:03 CEST 2016 

Hello,

>>>> openssl:
>>>> ...
>>>>      DH:ECP_256
>>>> ...
>>> 
>>> Ah yes.  It's because the default IKE proposal in versions before 
>>> 5.4.0
>>> listed ECP_256 after MODP_2048 and the server always preferred its 
>>> own
>>> proposals (this can be changed with the upcoming 5.5.0 release).  So 
>>> it
>>> insists on using MODP_2048 even if it supports ECP_256.
>> 
>> I can just ignore this for now?
> 
> Probably, I currently don't see how this could cause the problem 
> (unless
> e.g. your NAT router does something strange).  But you could also try 
> to
> configure a different IKE proposal (one that lists ecp256 before 
> modp2048).

I'll give that a try as well.

>>>> I've added 'fragmentation=yes' to the server, same issue.
>>> 
>>> Please have a look at the client log.  Does it send an IKE_AUTH
>>> message?
>>>  Is it fragmented?  If so, check with Wireshark/tcpdump on the server
>>> whether any packets arrive.
>> 
>> I can send log files from working & non working sessions.
> 
> If you have server and client logs of a working and a non-working
> session that might help.  The server log of a working session with the
> iPhone might be useful too.

See attached files. Overview of what's included:

Ip addresses in the log files:
- 1.1.1.1: Public ip address of my home connection.
- 2.2.2.2: Public ip address of strongSwan server.
- some.host.domain: Hostname of strongSwan server.
- 192.168.0.12: LAN ip address of Android phone.
For the 4G logs specifically:
- 10.127.199.67 is the 'public' ip address of my Android phone, NATted 
to 209.52.88.67 at carrier (I guess).

Explanation of logfiles:
- iPhone_20160607_Wifi_Working_ServerLog.txt: Server log for a working 
iPhone connection.
- OnePlusOne_20160607_4G_Working_ClientLog: Client log of working 4G 
Android connection.
- OnePlusOne_20160607_4G_Working_ServerLog: Server log of same working 
4G Android connection.
- OnePlusOne_20160607_Wifi_NotWorking_ClientLog: Client log of not 
working connection over wifi with Android.
- OnePlusOne_20160607_Wifi_NotWorking_ServerLog: Server log of same not 
working connection over wifi with Android.
- OnePlusOne_20160607_Wifi_Working1_ClientLog: Client log of a working 
connection over wifi with Android. This is right after restarting the 
strongSwan daemon. Subsequent daemon restarts did not result in working 
connections.
- OnePlusOne_20160607_Wifi_Working1_ServerLog: Server log of a working 
connection over wifi with Android. This is right after restarting the 
strongSwan daemon. Subsequent daemon restarts did not result in working 
connections.

>>>> and the Android phone (which almost always fails)
>>> 
>>> What do you mean "almost always"?
>> 
>> It works _sometimes_. From my point of view, there's nothing different
>> between when it works and when it doesn't work... What is strange here
>> is that using my iPhone on my home wifi always works. Using Android (I
>> have 2 Android different phones, same issue), this rarely works.
> 
> That really sounds strange.

Yes, I know :) and like I said, I haven't found a specific issue or 
action that makes it work.

Thank you for your help!

Kind regards,
Laurens
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iPhone_20160607_Wifi_Working_ServerLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0007.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_4G_Working_ClientLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0008.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_4G_Working_ServerLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0009.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_Wifi_NotWorking_ClientLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0010.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_Wifi_NotWorking_ServerLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0011.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_Wifi_Working1_ClientLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0012.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: OnePlusOne_20160607_Wifi_Working1_ServerLog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160707/bb1d22b2/attachment-0013.txt>

More information about the Users mailing list