-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Tobias,
On 03/15/16 12:13, Tobias Brunner wrote: > Hi Harald, > >> I have no idea why the Mac opens a new session now, instead of relying upon >> the old IKE_SA, but it seems to me that the Mac missed to send xauth info. >> Is this correct? > > Yes, looks that way. Which is strange because while in the previous > reconnection attempt the client did not request a virtual IP it did at least > respond to the XAuth request. Here it apparently does neither before sending > a Quick Mode request. Maybe it's a reauthentication. This was a > problem with (older) iOS versions, which lead to the development of the > xauth-noauth plugin [1]. I have one suspect here: The previous session was done in the office in a WLAN setup with an airport extreme. I don't have such a device at home. From what I can tell these airports act very strange wrt other apple devices that went to sleep. > Try checking the client log. > Good idea: Mar 12 11:55:17 ppcm018 racoon[6849]: >>>>> phase change status = Phase 1 started by peer Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 2). Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Main-Mode message 3). Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 4). Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Main-Mode message 5). Mar 12 11:55:17 ppcm018 racoon[6849]: mode config 6 from 10.0.0.17[4500], but ISAKMP-SA 0c6de9a361463a33:612f076cd8c70cd6 isn't established. Mar 12 11:55:17 ppcm018 racoon[6849]: preexisting CERT payload... chaining. Mar 12 11:55:17 ppcm018 racoon[6849]: IKEv1 Phase 1 AUTH: success. (Initiator, Main-Mode Message 6). Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: receive success. (Initiator, Main-Mode message 6). Mar 12 11:55:17 ppcm018 racoon[6849]: IKEv1 Phase 1 Initiator: success. (Initiator, Main-Mode). Mar 12 11:55:17 ppcm018 racoon[6849]: IPSec Phase 1 established (Initiated by me). Mar 12 11:55:17 ppcm018 racoon[6849]: IPSec Phase 2 started (Initiated by me). Mar 12 11:55:17 ppcm018 racoon[6849]: >>>>> phase change status = Phase 2 started Mar 12 11:55:17 ppcm018 racoon[6849]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1). Mar 12 11:55:19 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:21 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:22 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:24 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:26 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:27 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:29 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:30 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:34 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:35 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:37 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:40 ppcm018 racoon[6849]: failed to begin ipsec sa negotiation. Mar 12 11:55:43 ppcm018 racoon[6849]: IKE Packet: transmit success. (Phase 2 Retransmit). Mar 12 11:55:47 ppcm018 racoon[6849]: IPSec disconnecting from server 10.0.0.17 Mar 12 11:55:47 ppcm018 racoon[6849]: IKE Packet: transmit success. (Information message). Mar 12 11:55:47 ppcm018 racoon[6849]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA). Mar 12 11:55:47 ppcm018 racoon[6849]: IPSec disconnecting from server 10.0.0.17 Mar 12 11:55:47 ppcm018 racoon[6849]: glob found no matches for path "/var/run/racoon/*.conf" Mar 12 11:55:49 ppcm018 racoon[6849]: Internal error - attempt to re-send Phase 2 with no Phase 1 bound. Obviously the protocol diverged at 11:55:19 (macbook time). Do you think it would be reasonable to contact somebody at Apple directly? I tried the recommended procedure (post in the apple forums) once, but this was a frustrating experience. Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJW6X4jAAoJEAqeKp5m04HLmQ4IAJBGrjMxEDb194S5I+pVMYIa e8fSSNZCnhzcCuvpWUfbQBAjp3hd0e9wZFepYqR7DeAXghdl+9iuKMPQDBkj1Wvm hK79fNV1Uv+1n37HvsJtQ0jHcAQgZSaW4pAgxnKyRBLLUWVPkqHUOM8M4pTCbhnF 82cscga7a2jXI21NfDaB+f+F5LkM3UN0CA5Mlabob/7izbUiIAIY6TmxbNuSm1US YjxNkoWkD4PA9GRiUgmQ928zrlSJnkGtfO7KiI+ggeRx2pYc8ks/0GETEXaZnWGL hWj9ygMNI1bFREgr057jE7Mr9hSkKijpcsT15C8k20kuH+pTYsbKg3DufeYalOs= =12HR -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
