[strongSwan] Same config for strongSwan, different outcome between Android and iOS
Tobias Brunner
tobias at strongswan.org
Wed Jun 29 11:43:04 CEST 2016
Hi Laurens,
> I've set up a strongSwan server for IKEv2. Connections with the Android
> strongSwan app fail, while using the iOS built-in IKEv2 client works
> without issues. Any ideas on what might be going on?
Looks like it could be an IP fragmentation issue.
> Android strongSwan client server logs:
>
> Jun 29 01:33:15 irkalla charon: 04[NET] received packet: from
> 1.1.1.1[40108] to 2.2.2.2[500] (732 bytes)
> Jun 29 01:33:15 irkalla charon: 04[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ]
> Jun 29 01:33:15 irkalla charon: 04[IKE] 1.1.1.1 is initiating an IKE_SA
> Jun 29 01:33:15 irkalla charon: 04[IKE] remote host is behind NAT
> Jun 29 01:33:15 irkalla charon: 04[IKE] DH group ECP_256 inacceptable,
> requesting MODP_2048
> Jun 29 01:33:15 irkalla charon: 04[ENC] generating IKE_SA_INIT response
> 0 [ N(INVAL_KE) ]
Since you don't have the openssl plugin loaded ECP-256 is not supported
by the server so it requests a different DH group.
> Jun 29 01:33:15 irkalla charon: 04[NET] sending packet: from
> 2.2.2.2[500] to 1.1.1.1[40108] (38 bytes)
> Jun 29 01:33:17 irkalla charon: 08[NET] received packet: from
> 1.1.1.1[40108] to 2.2.2.2[500] (732 bytes)
> Jun 29 01:33:17 irkalla charon: 08[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ]
> Jun 29 01:33:17 irkalla charon: 06[NET] received packet: from
This is a retransmit of the original IKE_SA_INIT request (handling this
fails again).
> 1.1.1.1[40108] to 2.2.2.2[500] (924 bytes)
> Jun 29 01:33:17 irkalla charon: 06[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ]
This is the request with the new DH group.
> Jun 29 01:33:18 irkalla charon: 06[IKE] 1.1.1.1 is initiating an IKE_SA
> Jun 29 01:33:18 irkalla charon: 06[IKE] remote host is behind NAT
> Jun 29 01:33:18 irkalla charon: 06[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Jun 29 01:33:18 irkalla charon: 06[NET] sending packet: from
> 2.2.2.2[500] to 1.1.1.1[40108] (440 bytes)
After sending the IKE_SA_INIT response the client is expected to send an
IKE_AUTH message. If it is too big it gets fragmented into several IP
messages and some firewalls/routers might drop these. Since the server
does not receive any IKE_AUTH messages it's likely that this happened.
Try configuring `fragmentation=yes` on the server or select the correct
CA certificate in the VPN profile on the client to avoid sending lots of
certificate requests.
Regards,
Tobias
More information about the Users
mailing list