[strongSwan] MacOS: IKEv1 fails after wakeup

Wed Mar 16 16:39:15 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Tobias,

On 03/15/16 12:13, Tobias Brunner wrote:
> Hi Harald,
> 
>> I have no idea why the Mac opens a new session now, instead of relying upon the old IKE_SA, but it seems to me that the Mac missed to send xauth info. Is this correct?
> 
> Yes, looks that way.  Which is strange because while in the previous reconnection attempt the client did not request a virtual IP it did at least respond to the XAuth request.  Here it apparently does neither before sending a Quick Mode request.  Maybe it's a reauthentication. This was a
> problem with (older) iOS versions, which lead to the development of the xauth-noauth plugin [1].

I have one suspect here: The previous session was done in the office
in a WLAN setup with an airport extreme. I don't have such a device at
home. From what I can tell these airports act very strange wrt other
apple devices that went to sleep.

> Try checking the client log.
> 

Good idea:

Mar 12 11:55:17 ppcm018 racoon[6849]: >>>>> phase change status = Phase 1 started by peer
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 2).
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 4).
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).
Mar 12 11:55:17 ppcm018 racoon[6849]: mode config 6 from 10.0.0.17[4500], but ISAKMP-SA 0c6de9a361463a33:612f076cd8c70cd6 isn't established.
Mar 12 11:55:17 ppcm018 racoon[6849]: preexisting CERT payload... chaining.
Mar 12 11:55:17 ppcm018 racoon[6849]: IKEv1 Phase 1 AUTH: success. (Initiator, Main-Mode Message 6).
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 6).
Mar 12 11:55:17 ppcm018 racoon[6849]: IKEv1 Phase 1 Initiator: success. (Initiator, Main-Mode).
Mar 12 11:55:17 ppcm018 racoon[6849]: IPSec Phase 1 established (Initiated by me).
Mar 12 11:55:17 ppcm018 racoon[6849]: IPSec Phase 2 started (Initiated by me).
Mar 12 11:55:17 ppcm018 racoon[6849]: >>>>> phase change status = Phase 2 started
Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Mar 12 11:55:19 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:21 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:22 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:24 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:26 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:27 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:29 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:30 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:34 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:35 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:37 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:40 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation.
Mar 12 11:55:43 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit).
Mar 12 11:55:47 ppcm018 racoon[6849]: IPSec disconnecting from server 10.0.0.17
Mar 12 11:55:47 ppcm018 racoon[6849]: IKE Packet: transmit success. (Information message).
Mar 12 11:55:47 ppcm018 racoon[6849]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Mar 12 11:55:47 ppcm018 racoon[6849]: IPSec disconnecting from server 10.0.0.17
Mar 12 11:55:47 ppcm018 racoon[6849]: glob found no matches for path "/var/run/racoon/*.conf"
Mar 12 11:55:49 ppcm018 racoon[6849]: Internal error - attempt to re-send Phase 2 with no Phase 1 bound.

Obviously the protocol diverged at 11:55:19 (macbook time).

Do you think it would be reasonable to contact somebody at Apple directly?
I tried the recommended procedure (post in the apple forums) once, but this
was a frustrating experience.

Regards
Harri

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJW6X4jAAoJEAqeKp5m04HLmQ4IAJBGrjMxEDb194S5I+pVMYIa
e8fSSNZCnhzcCuvpWUfbQBAjp3hd0e9wZFepYqR7DeAXghdl+9iuKMPQDBkj1Wvm
hK79fNV1Uv+1n37HvsJtQ0jHcAQgZSaW4pAgxnKyRBLLUWVPkqHUOM8M4pTCbhnF
82cscga7a2jXI21NfDaB+f+F5LkM3UN0CA5Mlabob/7izbUiIAIY6TmxbNuSm1US
YjxNkoWkD4PA9GRiUgmQ928zrlSJnkGtfO7KiI+ggeRx2pYc8ks/0GETEXaZnWGL
hWj9ygMNI1bFREgr057jE7Mr9hSkKijpcsT15C8k20kuH+pTYsbKg3DufeYalOs=
=12HR
-----END PGP SIGNATURE-----