[strongSwan] MacOS: IKEv1 fails after wakeup

Harald Dunkel harald.dunkel at aixigo.de
Thu Mar 10 08:33:02 CET 2016

Hi folks,

left side is strongswan 5.3.5 on Debian, right side is a
road warrior macbook running MacOS 10.11.3. There is a
NAT gateway & firewall on both sides.

If the IPsec connection is activated and the mac is put to
sleep, then strongswan drops the connection after some
minutes. Problem: When the mac is woken up again, then quite
often IKEv1 seems to fail. After entering the screen lock
password the road warrior has to wait for a minute, then
he is authenticated using cached information. The mac shows
an error popup with "connection failed". The road warrior
has to explicitly click on [connect example IPsec] to get a
new connection.

Log file is attached. Please note that there are several
messages "received retransmit of request with ID 2615585018,
but no response to retransmit" near the end, before the mac
gives up. Google told me that this happened before, but it
was supposed to be fixed with strongswan 5.3.

Every helpful comment is highly appreciated
-------------- next part --------------
config setup
	charondebug="dmn 2, mgr 2, ike 3, chd 2, cfg 3, net 2"

conn %default
	left		= gate1.example.com
	leftcert	= gate1.example.com.pem
	leftsendcert	= always
	leftsubnet	=
	leftfirewall	= yes
	ikelifetime	= 3h
	lifetime	= 1h
	rekey		= yes
	dpdaction	= hold
	dpddelay	= 30s
# IKEv2 using RSA authentication
conn IPSec-IKEv2
	keyexchange	= ikev2
        ike             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
        esp             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
	right		= %any
	rightauth	= pubkey
	rightsendcert	= ifasked
	rightsourceip	= %dhcp
	# fragmentation = yes
	auto		= add

# IKEv1 using xauth (i.e. enter password)
conn CiscoIPSec
	keyexchange	= ikev1
	ike		= aes256-sha1-modp1536!
	esp		= aes256-sha1!
	rightauth	= pubkey
	right		= %any
	rightsourceip	= %dhcp
	rightauth2	= xauth
	auto		= add
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wakeupyourmacs.log
Type: text/x-log
Size: 97309 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160310/a0340ef7/attachment-0001.bin>

More information about the Users mailing list