Hello, community
I'm testing roadwarrior setup with RSA + XAUTH for android native client
and have a strange issue when my CA key is 4096 bit length. This is my
first experience, so maybe I made some silly mistake here.
FreeBSD strongSwan U5.3.0/K10.1-RELEASE-p9
conn %default
keyexchange=ikev1
conn roadwarrior
left=xxxxxxxx
leftid="xxxxxxxx"
leftauth=pubkey
leftcert=ipsec-server-cert.pem
rightdns=192.168.0.1
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=10.0.10.100/32
rightauth=pubkey
rightauth2=xauth
ike=aes256-sha1-modp1024
auto=add
The connection just timeouts on the beginning
May 21 18:52:39 abinet charon: 12[IKE] sending cert request for "xxxxxxxxx"
May 21 18:52:40 abinet charon: 12[IKE] IKE_SA (unnamed)[8] state change:
CONNECTING => DESTROYING
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size
65535 bytes
18:52:49.098162 IP (tos 0x48, ttl 55, id 26506, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:52:52.108361 IP (tos 0x48, ttl 55, id 26507, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:52:56.153533 IP (tos 0x48, ttl 55, id 26508, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:52:57.947470 IP (tos 0x48, ttl 55, id 0, offset 0, flags [DF], proto
UDP (17), length 29)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn: [udp sum ok]
isakmp-nat-keep-alive
18:52:58.023378 IP (tos 0x48, ttl 55, id 26509, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:53:01.039447 IP (tos 0x48, ttl 55, id 26510, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:53:04.087247 IP (tos 0x48, ttl 55, id 26511, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
18:53:07.084106 IP (tos 0x48, ttl 55, id 26512, offset 0, flags [+],
proto UDP (17), length 1356)
host-117-158-66-217.spbmts.ru.52892 > xxxxxxx.sae-urn:
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
705b1cf76fc2b8d9->3a4acae7478d193a: phase 1 ? ident[E]: [encrypted id]
(len mismatch: isakmp 1468/ip 1324)
Looks like the reason of this is that udp packet exceeding MTU length
(flag [+] indicates that this is a fragment) and client is not sending
another part. If I decrease CA cert length the packet is < 1356 and
handshake succeeds. Client side just reports timeout without any errors.
Can you give me the tips - where is the root of the problem - server,
client or strongswan ?
Thank you.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
