[strongSwan] IKEv2 not able to get past server keep alive?
Tobias Brunner
tobias at strongswan.org
Tue Nov 2 19:12:39 CET 2021
Hi Jody,
> It apparently can see the authentication and says it’s good
It doesn't, only its own authentication is successful (read the log more
closely). For the client, it requests EAP authentication in the
IKE_AUTH response, but since there never is a follow up IKE_AUTH
request, the IKE_SA is not completed and gets destroyed after a while.
Either the client doesn't like the server certificate (e.g. because it's
expired or it doesn't trust the issuing CA - or a required intermediate
CA certificate is missing -, the identity, i.e. server IP, seems to be
fine and match the certificate as the server uses that itself), or it
doesn't receive the IKE_AUTH response at all (while it is fragmented
into two fragments, the first might still be too large, reducing
charon.fragment_size might help).
Regards,
Tobias
More information about the Users
mailing list