Dug a little deeper and tried disabling rekeying but the iPhone still ends up
in the REKEYING state for some reason.
When it's stuck in the REKEYING state it has no Internet connectivity, can't be
pinged from the server - but it is receiving DPD_ACK requests (I can see them
being passed to and from the server<->client in /var/log/messages).
Any idea what's going on here?
Thanks,
H.
On Tuesday, 27 May 2014, 11:37, Harry Stark <[email protected]> wrote:
Hi,
I've a problem with iPhone users that sometime have no Internet connectivity
when re-connecting.
I've just managed to reproduce the issue myself and found that the device was
stuck in a rekeying state:
Ran ipsec statusall and received the following for the device:
radius-user[7294]: ESTABLISHED 8 minutes ago,
server.ip.addr[removed]…client.ip.addr[removed]
radius-user[7294]: Remote XAuth identity: id
radius-user[7294]: IKEv1 SPIs: 97f5e4a174c21a04_i d955c959b74e47ca_r*, public
key reauthentication in 2 hours
radius-user[7294]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
radius-user{4638}: REKEYING, TUNNEL, expires in 51 minutes
radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32
radius-user{4638}: INSTALLED, TUNNEL, ESP in UDP SPIs: c94cefea_i 065a29fb_o
radius-user{4638}: AES_CBC_128/HMAC_SHA1_96, 153357 bytes_i (1104 pkts, 1s
ago), 0 bytes_o, rekeying in 36 minutes
radius-user{4638}: 0.0.0.0/0 === 10.0.1.153/32
So the tunnel was setup correctly but the device was not able to be ping'ed or
receive any data at all and just stuck there in the REKEYING state.
I did a ipsec down on the user which forced the device to reconnect and all was
then fine.
Not sure where to look to solve this? Is there a setting I can enable to
disable all REKEYING so I can force all my iPhone users to do a full re-auth
every connection? I know this may be slower but their devices are pretty dumb!
Thanks,
I'm running Centos 6 & Linux strongSwan U5.1.3/K2.6.32-358.11.1.el6.x86_64
H.
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
