[strongSwan] IKEv2 not able to get past server keep alive?

Tobias Brunner tobias at strongswan.org
Tue Nov 2 19:12:39 CET 2021

Hi Jody,

> It apparently can see the authentication and says it’s good

It doesn't, only its own authentication is successful (read the log more 
closely).  For the client, it requests EAP authentication in the 
IKE_AUTH response, but since there never is a follow up IKE_AUTH 
request, the IKE_SA is not completed and gets destroyed after a while.

Either the client doesn't like the server certificate (e.g. because it's 
expired or it doesn't trust the issuing CA - or a required intermediate 
CA certificate is missing -, the identity, i.e. server IP, seems to be 
fine and match the certificate as the server uses that itself), or it 
doesn't receive the IKE_AUTH response at all (while it is fragmented 
into two fragments, the first might still be too large, reducing 
charon.fragment_size might help).


More information about the Users mailing list