Wolfram Schlich wrote: > Hi Andreas! > > * Andreas Steffen <andreas.stef...@strongswan.org> [2009-07-13 13:08]: >> The iPhone client does not like the XAUTH request: >> >>> 12:11:05 pluto[23959]: | starting XAUTH server >>> 12:11:05 pluto[23959]: "iphone"[3] CLIENT-IP:11044 #3: >> sending XAUTH request >> >> because instead of the XAUTH reply it sends an INFORMATIONAL message: >> >> 12:11:06 pluto[23959]: | *received 76 bytes from CLIENT-IP:11044 on eth5 >> 12:11:06 pluto[23959]: | ICOOKIE: 31 ed 8b 9a d8 bf 78 9d >> 12:11:06 pluto[23959]: | RCOOKIE: 2d 5e 3f c8 6f 7d 42 2e >> 12:11:06 pluto[23959]: | peer: 50 bb 65 81 >> 12:11:06 pluto[23959]: | state hash entry 0 >> 12:11:06 pluto[23959]: | state object not found >> 12:11:06 pluto[23959]: packet from CLIENT-IP:11044: >> Informational Exchange is for an unknown (expired?) SA >> >> There are two things that you can do: >> >> 1) Have you compiled strongSwan with the --enable-cisco-quirks option? > > Yes. > >> It might be that similarly to the Cisco VPN client, the iPhone >> clients expects the VPN gateway to send a Cisco-Unity ID >> and will otherwise abort the IKE negotiation. > > So shouldn't --enable-cisco-quirks have done that already?! Yes, --enable-cisco-quirks does that. > >> 2) Increasing the debug level by setting >> >> plutodebug="control controlmore parsing" >> >> in ipsec.conf might show the content of the INFORMATIONAL message >> shedding some light on the error cause. > > Done. Here you go: > > --8<-- > pluto[32003]: | NAT-T: new mapping CLIENT-IP:30983/42181) > pluto[32003]: | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for > #1 > pluto[32003]: "iphone"[2] CLIENT-IP:42181 #1: sent MR3, ISAKMP SA established > pluto[32003]: | starting XAUTH server > pluto[32003]: "iphone"[2] CLIENT-IP:42181 #1: sending XAUTH request > pluto[32003]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 > pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1 > > pluto[32003]: | > pluto[32003]: | *received 76 bytes from CLIENT-IP:42181 on eth5 > pluto[32003]: | **parse ISAKMP Message: > pluto[32003]: | initiator cookie: > pluto[32003]: | 0d 59 13 eb af df ce b2 > pluto[32003]: | responder cookie: > pluto[32003]: | 5c 40 db 2a 75 f5 d1 91 > pluto[32003]: | next payload type: ISAKMP_NEXT_HASH > pluto[32003]: | ISAKMP version: ISAKMP Version 1.0 > pluto[32003]: | exchange type: ISAKMP_XCHG_INFO > pluto[32003]: | flags: ISAKMP_FLAG_ENCRYPTION > pluto[32003]: | message ID: e6 94 48 f6 > pluto[32003]: | length: 76 > pluto[32003]: | ICOOKIE: 0d 59 13 eb af df ce b2 > pluto[32003]: | RCOOKIE: 5c 40 db 2a 75 f5 d1 91 > pluto[32003]: | peer: 50 bb 64 81 > pluto[32003]: | state hash entry 19 > pluto[32003]: | state object not found > pluto[32003]: packet from CLIENT-IP:42181: Informational Exchange is for an > unknown (expired?) SA > pluto[32003]: | next event EVENT_RETRANSMIT in 10 seconds for #1
The INFORMATIONAL message is encrypted and seems to belong to an earlier IKE exchange so that the keys are not available anymore. Can you check in your log in which exchange the cookies > pluto[32003]: | ICOOKIE: 0d 59 13 eb af df ce b2 > pluto[32003]: | RCOOKIE: 5c 40 db 2a 75 f5 d1 91 where used. I think any further analysis of the strongSwan log does not give additional information. Upon the reception of the XAUTH request, the iPhone client should return its username/password. Is there any prompt on the client or are there any error messages available? Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
