[strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout

Joshua Nocturne joshua.nocturne at gmail.com
Wed Nov 8 12:19:03 CET 2017 

I tried to use EAP with username/password in windows as you said, then I
got almost the same log:
Nov  8 18:42:29 13[NET] <8> received packet: from 183.131.17.162[370] to
47.90.13.129[500] (880 bytes)
Nov  8 18:42:29 13[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Nov  8 18:42:29 13[IKE] <8> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Nov  8 18:42:29 13[IKE] <8> received MS-Negotiation Discovery Capable
vendor ID
Nov  8 18:42:29 13[IKE] <8> received Vid-Initial-Contact vendor ID
Nov  8 18:42:29 13[ENC] <8> received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Nov  8 18:42:29 13[IKE] <8> 183.131.17.162 is initiating an IKE_SA
Nov  8 18:42:29 13[IKE] <8> remote host is behind NAT
Nov  8 18:42:29 13[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Nov  8 18:42:29 13[NET] <8> sending packet: from 47.90.13.129[500] to
183.131.17.162[370] (312 bytes)
Nov  8 18:42:30 12[NET] <8> received packet: from 183.131.17.162[370] to
47.90.13.129[500] (880 bytes)
Nov  8 18:42:30 12[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Nov  8 18:42:30 12[IKE] <8> received retransmit of request with ID 0,
retransmitting response
Nov  8 18:42:30 12[NET] <8> sending packet: from 47.90.13.129[500] to
183.131.17.162[370] (312 bytes)
Nov  8 18:42:31 09[NET] <8> received packet: from 183.131.17.162[370] to
47.90.13.129[500] (880 bytes)
Nov  8 18:42:31 09[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Nov  8 18:42:31 09[IKE] <8> received retransmit of request with ID 0,
retransmitting response
Nov  8 18:42:31 09[NET] <8> sending packet: from 47.90.13.129[500] to
183.131.17.162[370] (312 bytes)

And I also tried using my iphone to connect to my vpn through with
username/password in IPsec, then I got this log
Nov  8 19:14:40 05[NET] <38> received packet: from 112.64.189.137[25840] to
47.90.13.129[500] (848 bytes)
Nov  8 19:14:40 05[ENC] <38> parsed ID_PROT request 0 [ SA V V V V V V V V
V V V V V V ]
Nov  8 19:14:40 05[IKE] <38> received NAT-T (RFC 3947) vendor ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike vendor ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-08 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-07 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-06 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-05 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-04 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-03 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-02 vendor
ID
Nov  8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-02\n
vendor ID
Nov  8 19:14:40 05[IKE] <38> received XAuth vendor ID
Nov  8 19:14:40 05[IKE] <38> received Cisco Unity vendor ID
Nov  8 19:14:40 05[IKE] <38> received FRAGMENTATION vendor ID
Nov  8 19:14:40 05[IKE] <38> received DPD vendor ID
Nov  8 19:14:40 05[IKE] <38> 112.64.189.137 is initiating a Main Mode IKE_SA
Nov  8 19:14:40 05[ENC] <38> generating ID_PROT response 0 [ SA V V V V ]
Nov  8 19:14:40 05[NET] <38> sending packet: from 47.90.13.129[500] to
112.64.189.137[25840] (160 bytes)
Nov  8 19:14:43 06[NET] <38> received packet: from 112.64.189.137[25840] to
47.90.13.129[500] (848 bytes)
Nov  8 19:14:43 06[IKE] <38> received retransmit of request with ID 0,
retransmitting response
Nov  8 19:14:43 06[NET] <38> sending packet: from 47.90.13.129[500] to
112.64.189.137[25840] (160 bytes)
Nov  8 19:14:47 12[NET] <38> received packet: from 112.64.189.137[25840] to
47.90.13.129[500] (848 bytes)
Nov  8 19:14:47 12[IKE] <38> received retransmit of request with ID 0,
retransmitting response
Nov  8 19:14:47 12[NET] <38> sending packet: from 47.90.13.129[500] to
112.64.189.137[25840] (160 bytes)

At last I still do not know where the problem is. :(


2017-11-07 21:37 GMT+08:00 Tobias Brunner <tobias at strongswan.org>:

> Hi Joshua,
>
> >     I got some problems about the configuration of strongswan, no matter
> > how I configured the IKEv2 connection just couldn't establish.
>
> This doesn't look like a configuration issue but a network problem.  The
> client does not seem to receive the IKE_SA_INIT response sent by the
> server (at least initially) and, therefore, retransmits the request a
> couple of times.  It seems to stop after two retransmits so it might
> have received the response eventually.  But since the server doesn't
> receive an IKE_AUTH request it could mean that there is an IP
> fragmentation issue (also check for errors on the client).  If the
> IKE_AUTH request gets too big (e.g. because of lots of certificate
> requests or a large client certificate) it gets fragmented into multiple
> IP packets and if some firewall/router between client and server drops
> such fragments the server won't receive the full message.
> As this seems to be a Windows client you might not have a lot of options
> as Windows doesn't support IKEv2 fragmentation.  If you use certificate
> authentication for the client you could try to switch to EAP with
> username/password (but it's possible that the server's IKE_AUTH response
> will get fragmented too).  Also see [1].
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/issues/965#note-1
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/23156a8f/attachment.html>

More information about the Users mailing list