Hello, I am really stuck with this problem - iOS 7.0.4 fails to connect to StrongSwan5.1.1 after some idle time. Any help would be highly appreciated.
Short description: ------------------------- When iOS device is setup for the first time, everything works fine. But after some idle time (roughly an hour or so), vpn fails to connect. This happens at random times. In some cases, after several minutes of retrying, vpn connects back. Our setup: It's based on http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) Detailed description: ------------------------- 1) Client connects for the first time. Evething works fine. 2) Some minutes later client connects again (?) 00:46:46 racoon[7636] <Notice>: >>>>> phase change status = Phase 1 established ... 00:46:46 racoon[7636] <Notice>: >>>>> phase change status = Phase 2 established and server indicates that there are duplicates: 00:46:44 charon: 01[IKE] deleting duplicate IKE_SA for peer 'O=xx, OU=Customer, CN=yy' due to uniqueness policy 00:46:44 charon: 01[IKE] deleting IKE_SA ios[304] between xxxx[C=XX, O=XX, OU=XX, CN=XX]...x.x.x.x[O=xx, OU=xx, CN=yy] nevertheless connection has been estabilished: 00:46:44 charon: 02[IKE] CHILD_SA ios{261} established with SPIs c6291699_i 010608d9_o and TS 0.0.0.0/0 === 198.18.64.2/32 3) Some minutes later, client shows IKE FAILED. phase 6, assert 0 and keeps trying to connect, but fails 00:49:21 configd[42] <Error>: IPSec Controller: IKE FAILED. phase 6, assert 0 00:49:21 configd[42] <Notice>: IPSec disconnecting from server xxxx 00:49:21 kernel[0] <Debug>: SIOCPROTODETACH_IN6: utun0 error=6 00:49:21 configd[42] <Notice>: network changed: v4(en0:10.64.18.135, utun0-:198.18.64.2) DNS! Proxy! 00:49:21 configd[42] <Notice>: network changed. 00:49:21 configd[42] <Notice>: SCNC: stop, triggered by (85) apsd, type IPSec, reason User Requested 00:49:21 racoon[7636] <Notice>: IPSec disconnecting from server xxxx 00:49:21 racoon[7636] <Error>: failed to send vpn_control message: Broken pipe 00:49:21 racoon[7636] <Warning>: glob found no matches for path "/var/run/racoon/*.conf" 00:49:21 mDNSResponder[50] <Error>: getExtendedFlags: SIOCGIFEFLAGS failed, errno = 6 (Device not configured) 00:49:21 racoon[7636] <Notice>: IPSec disconnecting from server xxxx 00:49:21 racoon[7636] <Error>: pfkey DELETE failed: No such file or directory Server log does not have anything from the client. 4) At some point server started to receive connection attempts but looks like client is not "willing to cooperate". 08:02:38 charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] 08:02:38 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID 08:02:38 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 08:02:38 charon: 12[IKE] received XAuth vendor ID 08:02:38 charon: 12[IKE] received Cisco Unity vendor ID 08:02:38 charon: 12[IKE] received FRAGMENTATION vendor ID 08:02:38 charon: 12[IKE] received DPD vendor ID 08:02:38 charon: 12[IKE] pp.qq.rr.ss is initiating a Main Mode IKE_SA 08:02:38 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ] 08:02:38 charon: 12[NET] sending packet: from aa.bb.cc.dd[500] to pp.qq.rr.ss[19885] (136 bytes) 08:02:39 charon: 03[NET] received packet: from pp.qq.rr.ss[19885] to aa.bb.cc.dd[500] (292 bytes) 08:02:39 charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] 08:02:39 charon: 03[IKE] remote host is behind NAT 08:02:39 charon: 03[IKE] sending cert request for "C=XX, O=XX, OU=XX, CN=XX" 08:02:39 charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 08:02:39 charon: 03[NET] sending packet: from aa.bb.cc.dd[500] to pp.qq.rr.ss[19885] (396 bytes) 08:03:08 charon: 01[JOB] deleting half open IKE_SA after timeout We also tried "dpdaction=clear" but it didn't help. Thanks a lot in advance for any tips! -- -Lev _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
