Hi, I tried to make strongSwan work in road warrior mode with VPN server integrated in Aruba controller, the tunnel is established successfully and the communication is OK, but I found the tunnel is shut down after IKE re-authentication. After some study, I found between after msg MM6 strongSwan are waiting for the TRANSACTION for XAUTH request and Aruba never send it, after timeout strongSwan will re-launch a IKE MM but Aruba will also not answer it.
>From the strongSwan's log, it shows *Nov 9 15:29:39 localhost charon: 07[IKE] reauthenticating IKE_SA str1[1]* *Nov 9 15:29:39 localhost charon: 07[IKE] installing new virtual IP 99.99.99.91* *Nov 9 15:29:39 localhost charon: 07[IKE] initiating Main Mode IKE_SA str1[3] to 10.4.30.200* *Nov 9 15:29:39 localhost charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]* *Nov 9 15:29:39 localhost charon: 07[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (240 bytes)* *Nov 9 15:29:39 localhost charon: 05[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (200 bytes)* *Nov 9 15:29:39 localhost charon: 05[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]* *Nov 9 15:29:39 localhost charon: 05[IKE] received FRAGMENTATION vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received DPD vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received XAuth vendor ID* *Nov 9 15:29:39 localhost charon: 05[IKE] received Cisco Unity vendor ID* *Nov 9 15:29:39 localhost charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]* *Nov 9 15:29:39 localhost charon: 05[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (372 bytes)* *Nov 9 15:29:39 localhost charon: 09[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (372 bytes)* *Nov 9 15:29:39 localhost charon: 09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]* *Nov 9 15:29:39 localhost charon: 09[ENC] generating ID_PROT request 0 [ ID HASH ]* *Nov 9 15:29:39 localhost charon: 09[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (76 bytes)* *Nov 9 15:29:39 localhost charon: 10[NET] received packet: from 10.4.30.200[500] to 30.1.1.22[500] (76 bytes)* *Nov 9 15:29:39 localhost charon: 10[ENC] parsed ID_PROT response 0 [ ID HASH ]* *Nov 9 15:30:09 localhost charon: 13[JOB] peer did not initiate expected exchange, reestablishing IKE_SA* *Nov 9 15:30:09 localhost charon: 13[IKE] reinitiating IKE_SA str1[3]* *Nov 9 15:30:09 localhost charon: 13[IKE] initiating Main Mode IKE_SA str1[3] to 10.4.30.200* *Nov 9 15:30:09 localhost charon: 13[ENC] generating ID_PROT request 0 [ SA V V V V V ]* *Nov 9 15:30:09 localhost charon: 13[NET] sending packet: from 30.1.1.22[500] to 10.4.30.200[500] (240 bytes)* I checked this with Aruba support and their answer is that the reauth for XAUTH is not necessary and they only accept the reauthentication when msg MM5 includes INITIAL-CONTACT which I think is not a correct solution because it will result a new virtual IP address assigned to my VPN client. I searched google and seems there are some VPN client like the one in IOS/MACOS works well with Aruba solution and they will not mandatorily ask XAUTH authentication when doing IKE reauthentication, and I fully understand strongSwan insists redoing the authentication is because of the security consideration. https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients My request is that whether it is possible for strongSwan to provide a configurable option to allow skip XAUTH authentication during IKE reauthentication? Thanks in advance. -- Best Regards, Haoyang CAO