[strongSwan] Reconnect failed with android phone

JWD j-wd at 163.com
Fri Jan 12 02:20:11 CET 2018


Nothing logged when android disconnect. Android does not send any message to strongswan.
EAP-MSCHAPv2 works find on my PC.

Jan 12 09:07:20 03[NET] <4> received packet: from 223.104.3.235[26141] to 172.31.2.1[500] (476 bytes)
Jan 12 09:07:20 03[ENC] <4> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 12 09:07:20 03[IKE] <4> received NAT-T (RFC 3947) vendor ID
Jan 12 09:07:20 03[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 12 09:07:20 03[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 12 09:07:20 03[IKE] <4> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 12 09:07:20 03[IKE] <4> received XAuth vendor ID
Jan 12 09:07:20 03[IKE] <4> received Cisco Unity vendor ID
Jan 12 09:07:20 03[IKE] <4> received FRAGMENTATION vendor ID
Jan 12 09:07:20 03[IKE] <4> received DPD vendor ID
Jan 12 09:07:20 03[IKE] <4> 223.104.3.235 is initiating a Main Mode IKE_SA
Jan 12 09:07:20 03[ENC] <4> generating ID_PROT response 0 [ SA V V V V ]
Jan 12 09:07:20 03[NET] <4> sending packet: from 172.31.2.1[500] to 223.104.3.235[26141] (160 bytes)
Jan 12 09:07:20 12[NET] <4> received packet: from 223.104.3.235[26141] to 172.31.2.1[500] (228 bytes)
Jan 12 09:07:20 12[ENC] <4> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 12 09:07:20 12[IKE] <4> local host is behind NAT, sending keep alives
Jan 12 09:07:20 12[IKE] <4> remote host is behind NAT
Jan 12 09:07:20 12[ENC] <4> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 12 09:07:20 12[NET] <4> sending packet: from 172.31.2.1[500] to 223.104.3.235[26141] (244 bytes)
Jan 12 09:07:20 16[NET] <4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (92 bytes)
Jan 12 09:07:20 16[ENC] <4> parsed ID_PROT request 0 [ ID HASH ]
Jan 12 09:07:20 16[CFG] <4> looking for XAuthInitPSK peer configs matching 172.31.2.1...223.104.3.235[10.58.28.34]
Jan 12 09:07:20 16[CFG] <4> selected peer config "XAuth-PSK"
Jan 12 09:07:20 16[ENC] <XAuth-PSK|4> generating ID_PROT response 0 [ ID HASH ]
Jan 12 09:07:20 16[NET] <XAuth-PSK|4> sending packet: from 172.31.2.1[4500] to 223.104.3.235[21528] (76 bytes)
Jan 12 09:07:20 16[ENC] <XAuth-PSK|4> generating TRANSACTION request 2279139339 [ HASH CPRQ(X_USER X_PWD) ]
Jan 12 09:07:20 16[NET] <XAuth-PSK|4> sending packet: from 172.31.2.1[4500] to 223.104.3.235[21528] (76 bytes)
Jan 12 09:07:20 05[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (108 bytes)
Jan 12 09:07:20 05[ENC] <XAuth-PSK|4> parsed INFORMATIONAL_V1 request 3724774013 [ HASH N(INITIAL_CONTACT) ]
Jan 12 09:07:20 04[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (108 bytes)
Jan 12 09:07:20 04[ENC] <XAuth-PSK|4> parsed TRANSACTION response 2279139339 [ HASH CPRP(X_USER X_PWD) ]
Jan 12 09:07:20 04[CFG] <XAuth-PSK|4> sending RADIUS Access-Request to server '127.0.0.1'
Jan 12 09:07:20 04[CFG] <XAuth-PSK|4> received RADIUS Access-Accept from server '127.0.0.1'
Jan 12 09:07:20 04[IKE] <XAuth-PSK|4> XAuth authentication of 'vpnuser1' successful
Jan 12 09:07:20 04[ENC] <XAuth-PSK|4> generating TRANSACTION request 3413157947 [ HASH CPS(X_STATUS) ]
Jan 12 09:07:20 04[NET] <XAuth-PSK|4> sending packet: from 172.31.2.1[4500] to 223.104.3.235[21528] (76 bytes)
Jan 12 09:07:20 09[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (92 bytes)
Jan 12 09:07:20 09[ENC] <XAuth-PSK|4> parsed TRANSACTION response 3413157947 [ HASH CPA(X_STATUS) ]
Jan 12 09:07:20 09[IKE] <XAuth-PSK|4> IKE_SA XAuth-PSK[4] established between 172.31.2.1[172.31.2.1]...223.104.3.235[10.58.28.34]
Jan 12 09:07:20 09[IKE] <XAuth-PSK|4> scheduling reauthentication in 10139s
Jan 12 09:07:20 09[IKE] <XAuth-PSK|4> maximum IKE_SA lifetime 10679s
Jan 12 09:07:20 07[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (124 bytes)
Jan 12 09:07:20 07[ENC] <XAuth-PSK|4> parsed TRANSACTION request 3929122124 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
Jan 12 09:07:20 07[IKE] <XAuth-PSK|4> peer requested virtual IP %any
Jan 12 09:07:20 07[CFG] <XAuth-PSK|4> assigning new lease to 'vpnuser1'
Jan 12 09:07:20 07[IKE] <XAuth-PSK|4> assigning virtual IP 172.31.254.1 to peer 'vpnuser1'
Jan 12 09:07:20 07[ENC] <XAuth-PSK|4> generating TRANSACTION response 3929122124 [ HASH CPRP(ADDR DNS NBNS DNS NBNS) ]
Jan 12 09:07:20 07[NET] <XAuth-PSK|4> sending packet: from 172.31.2.1[4500] to 223.104.3.235[21528] (108 bytes)
Jan 12 09:07:39 11[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (364 bytes)
Jan 12 09:07:39 11[ENC] <XAuth-PSK|4> parsed QUICK_MODE request 3003341863 [ HASH SA No ID ID ]
Jan 12 09:07:39 11[IKE] <XAuth-PSK|4> received 28800s lifetime, configured 3600s
Jan 12 09:07:39 11[ENC] <XAuth-PSK|4> generating QUICK_MODE response 3003341863 [ HASH SA No ID ID ]
Jan 12 09:07:39 11[NET] <XAuth-PSK|4> sending packet: from 172.31.2.1[4500] to 223.104.3.235[21528] (172 bytes)
Jan 12 09:07:39 10[NET] <XAuth-PSK|4> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (76 bytes)
Jan 12 09:07:39 10[ENC] <XAuth-PSK|4> parsed QUICK_MODE request 3003341863 [ HASH ]
Jan 12 09:07:39 10[IKE] <XAuth-PSK|4> CHILD_SA XAuth-PSK{6} established with SPIs cdf6f39c_i 0c4a03f5_o and TS 0.0.0.0/0 === 172.31.254.1/32

Jan 12 09:09:15 07[NET] <5> received packet: from 223.104.3.235[26141] to 172.31.2.1[500] (476 bytes)
Jan 12 09:09:15 07[ENC] <5> parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 12 09:09:15 07[IKE] <5> received NAT-T (RFC 3947) vendor ID
Jan 12 09:09:15 07[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 12 09:09:15 07[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 12 09:09:15 07[IKE] <5> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 12 09:09:15 07[IKE] <5> received XAuth vendor ID
Jan 12 09:09:15 07[IKE] <5> received Cisco Unity vendor ID
Jan 12 09:09:15 07[IKE] <5> received FRAGMENTATION vendor ID
Jan 12 09:09:15 07[IKE] <5> received DPD vendor ID
Jan 12 09:09:15 07[IKE] <5> 223.104.3.235 is initiating a Main Mode IKE_SA
Jan 12 09:09:15 07[ENC] <5> generating ID_PROT response 0 [ SA V V V V ]
Jan 12 09:09:15 07[NET] <5> sending packet: from 172.31.2.1[500] to 223.104.3.235[26141] (160 bytes)
Jan 12 09:09:15 08[NET] <5> received packet: from 223.104.3.235[26141] to 172.31.2.1[500] (228 bytes)
Jan 12 09:09:15 08[ENC] <5> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 12 09:09:15 08[IKE] <5> local host is behind NAT, sending keep alives
Jan 12 09:09:15 08[IKE] <5> remote host is behind NAT
Jan 12 09:09:15 08[ENC] <5> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 12 09:09:15 08[NET] <5> sending packet: from 172.31.2.1[500] to 223.104.3.235[26141] (244 bytes)
Jan 12 09:09:15 13[NET] <5> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (92 bytes)
Jan 12 09:09:15 13[ENC] <5> invalid ID_V1 payload length, decryption failed?
Jan 12 09:09:15 13[ENC] <5> could not decrypt payloads
Jan 12 09:09:15 13[IKE] <5> message parsing failed
Jan 12 09:09:15 13[ENC] <5> generating INFORMATIONAL_V1 request 3181951198 [ HASH N(PLD_MAL) ]
Jan 12 09:09:15 13[NET] <5> sending packet: from 172.31.2.1[500] to 223.104.3.235[26141] (76 bytes)
Jan 12 09:09:15 13[IKE] <5> ID_PROT request with message ID 0 processing failed
Jan 12 09:09:18 11[NET] <5> received packet: from 223.104.3.235[21528] to 172.31.2.1[4500] (92 bytes)
Jan 12 09:09:18 11[ENC] <5> invalid ID_V1 payload length, decryption failed?
Jan 12 09:09:18 11[ENC] <5> could not decrypt payloads
Jan 12 09:09:18 11[IKE] <5> message parsing failed




JWD

From: Noel Kuntze
Date: 2018-01-11 20:02
To: JWD; users
Subject: Re: [strongSwan] Reconnect failed with android phone
What's happening in between those two lines?

On 10.01.2018 15:34, JWD wrote:
> Jan 10 22:22:37 04[NET] <XAuth-PSK|3> sending packet: from 172.31.2.1[4500] to 117.100.110.176[4500] (108 bytes)
>  
> Jan 10 22:22:55 15[NET] <4> received packet: from 117.100.110.176[500] to 172.31.2.1[500] (476 bytes)

Btw, switch to a better cipher suite.
> ike=aes256-sha1-modp1024,aes256-sha256-modp1024,3des-sha1-modp1024!
> esp=aes256-sha1,aes256-sha256,3des-sha1!

Kind regards

Noel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/8667028b/attachment-0001.html>


More information about the Users mailing list