[strongSwan] Successfully established connection goes offline after some time

Varun Singh varun.singh at gslab.com
Thu Jan 19 13:18:32 CET 2017 

Hi,
I have strongSwan 5.3.5 on Ubuntu 16.04LTS. When I connect iOS VPN client
to it, it connects successfully and I am able to browse the internet. But
after some time, the connection goes offline.
I tried to search if other users have face this problems. Most of them who
face disconnection problems weren't able to establish connection at all.
My case is strange because I cannot see any errors while connection is
established. Just leaving the iPhone as is results in connection going
offline. Can someone help me in this? Thanks in advance.

Following is my ipsec.conf
***********************************
config setup
 strictcrlpolicy=no
 uniqueids = no

conn %default
 mobike=yes
 dpdaction=clear
 dpddelay=35s
 dpdtimeout=200s
 fragmentation=yes

conn iOS-IKEV2
 auto=add
 keyexchange=ike
 eap_identity=%any
 left=%any
 leftsubnet=0.0.0.0/0
 rightsubnet=10.99.1.0/24
 leftauth=psk
 leftid=%any
 right=%any
 rightsourceip=10.99.1.0/24
 rightauth=eap-mschapv2
 rightid=%any
***********************************




Following is
strongSwan.conf
***********************************
charon {
load_modular = yes
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
plugins {
include strongswan.d/charon/*.conf
}
}
***********************************





Following is NAT IPTables entries
***********************************
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  ip-10-99-1-0.ap-south-1.compute.internal/24  anywhere
***********************************




And following are level 2 logs :

Jan 19 12:08:41 ip-172-31-9-90 charon: 15[NET] received packet: from
115.113.153.34[500] to 172.31.9.90[500] (300 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[IKE] 115.113.153.34 is initiating
an IKE_SA
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[IKE] IKE_SA (unnamed)[121] state
change: CREATED => CONNECTING
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[IKE] local host is behind NAT,
sending keep alives
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[IKE] remote host is behind NAT
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 15[NET] sending packet: from
172.31.9.90[500] to 115.113.153.34[500] (316 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[NET] received packet: from
115.113.153.34[4500] to 172.31.9.90[4500] (348 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[CFG] looking for peer configs
matching
172.31.9.90[myserver.com.server]...115.113.153.34[myserver.com.client]
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[CFG] selected peer config
'iOS-IKEV2'
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] initiating EAP_IDENTITY
method (id 0x00)
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing
INTERNAL_IP4_ADDRESS attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing INTERNAL_IP4_DHCP
attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing INTERNAL_IP4_DNS
attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing
INTERNAL_IP4_NETMASK attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing
INTERNAL_IP6_ADDRESS attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing INTERNAL_IP6_DHCP
attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] processing INTERNAL_IP6_DNS
attribute
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] peer supports MOBIKE
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] authentication of
'myserver.com.server' (myself) with pre-shared key
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[IKE] successfully created shared
key MAC
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[ENC] generating IKE_AUTH response
1 [ IDr AUTH EAP/REQ/ID ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 14[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (124 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[NET] received packet: from
115.113.153.34[4500] to 172.31.9.90[4500] (68 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[ENC] parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[IKE] received EAP identity 'varun'
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[IKE] initiating EAP_MSCHAPV2
method (id 0x18)
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[ENC] generating IKE_AUTH response
2 [ EAP/REQ/MSCHAPV2 ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 16[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (100 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 05[NET] received packet: from
115.113.153.34[4500] to 172.31.9.90[4500] (124 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 05[ENC] parsed IKE_AUTH request 3 [
EAP/RES/MSCHAPV2 ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 05[ENC] generating IKE_AUTH response
3 [ EAP/REQ/MSCHAPV2 ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 05[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (132 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 02[NET] received packet: from
115.113.153.34[4500] to 172.31.9.90[4500] (68 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 02[ENC] parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 02[IKE] EAP method EAP_MSCHAPV2
succeeded, MSK established
Jan 19 12:08:41 ip-172-31-9-90 charon: 02[ENC] generating IKE_AUTH response
4 [ EAP/SUCC ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 02[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (68 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[NET] received packet: from
115.113.153.34[4500] to 172.31.9.90[4500] (84 bytes)
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[ENC] parsed IKE_AUTH request 5 [
AUTH ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] authentication of
'myserver.com.client' with EAP successful
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] authentication of
'myserver.com.server' (myself) with EAP
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] IKE_SA iOS-IKEV2[121]
established between
172.31.9.90[myserver.com.server]...115.113.153.34[myserver.com.client]
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] IKE_SA iOS-IKEV2[121] state
change: CONNECTING => ESTABLISHED
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] scheduling reauthentication
in 10230s
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] maximum IKE_SA lifetime
10770s
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] peer requested virtual IP
%any
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[CFG] reassigning offline lease to
'varun'
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] assigning virtual IP
10.99.1.1 to peer 'varun'
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] peer requested virtual IP
%any6
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] no virtual IP found for
%any6 requested by 'varun'
Jan 19 12:08:41 ip-172-31-9-90 charon: message repeated 3 times: [ 06[IKE]
building INTERNAL_IP4_DNS attribute]
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[IKE] CHILD_SA iOS-IKEV2{102}
established with SPIs c2c91873_i 02553f03_o and TS 0.0.0.0/0 ===
10.99.1.0/24
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[ENC] generating IKE_AUTH response
5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
Jan 19 12:08:41 ip-172-31-9-90 charon: 06[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (236 bytes)
Jan 19 12:09:05 ip-172-31-9-90 charon: 01[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:09:25 ip-172-31-9-90 charon: 15[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:09:45 ip-172-31-9-90 charon: 14[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[IKE] sending DPD request
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[IKE] queueing IKE_MOBIKE task
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[IKE] activating new tasks
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[IKE]   activating IKE_MOBIKE task
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[ENC] generating INFORMATIONAL
request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Jan 19 12:09:47 ip-172-31-9-90 charon: 16[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:09:51 ip-172-31-9-90 charon: 05[IKE] retransmit 1 of request with
message ID 0
Jan 19 12:09:51 ip-172-31-9-90 charon: 05[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:09:58 ip-172-31-9-90 charon: 02[IKE] retransmit 2 of request with
message ID 0
Jan 19 12:09:58 ip-172-31-9-90 charon: 02[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:10:11 ip-172-31-9-90 charon: 04[IKE] retransmit 3 of request with
message ID 0
Jan 19 12:10:11 ip-172-31-9-90 charon: 04[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:10:31 ip-172-31-9-90 charon: 13[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:10:35 ip-172-31-9-90 charon: 12[IKE] retransmit 4 of request with
message ID 0
Jan 19 12:10:35 ip-172-31-9-90 charon: 12[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:10:55 ip-172-31-9-90 charon: 14[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:11:15 ip-172-31-9-90 charon: 02[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:11:17 ip-172-31-9-90 charon: 06[IKE] retransmit 5 of request with
message ID 0
Jan 19 12:11:17 ip-172-31-9-90 charon: 06[NET] sending packet: from
172.31.9.90[4500] to 115.113.153.34[4500] (116 bytes)
Jan 19 12:11:37 ip-172-31-9-90 charon: 01[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:12:08 ip-172-31-9-90 charon: 12[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:12:28 ip-172-31-9-90 charon: 14[IKE] sending keep alive to
115.113.153.34[4500]
Jan 19 12:12:32 ip-172-31-9-90 charon: 16[IKE] giving up after 5 retransmits
Jan 19 12:12:32 ip-172-31-9-90 charon: 16[IKE] IKE_SA iOS-IKEV2[121] state
change: ESTABLISHED => DESTROYING
Jan 19 12:12:32 ip-172-31-9-90 charon: 16[CFG] lease 10.99.1.1 by 'varun'
went offline


-- 
Regards,
Varun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170119/617db5e2/attachment-0001.html>

More information about the Users mailing list