Hi Laurens, > I've set up a strongSwan server for IKEv2. Connections with the Android > strongSwan app fail, while using the iOS built-in IKEv2 client works > without issues. Any ideas on what might be going on?
Looks like it could be an IP fragmentation issue. > Android strongSwan client server logs: > > Jun 29 01:33:15 irkalla charon: 04[NET] received packet: from > 1.1.1.1[40108] to 2.2.2.2[500] (732 bytes) > Jun 29 01:33:15 irkalla charon: 04[ENC] parsed IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ] > Jun 29 01:33:15 irkalla charon: 04[IKE] 1.1.1.1 is initiating an IKE_SA > Jun 29 01:33:15 irkalla charon: 04[IKE] remote host is behind NAT > Jun 29 01:33:15 irkalla charon: 04[IKE] DH group ECP_256 inacceptable, > requesting MODP_2048 > Jun 29 01:33:15 irkalla charon: 04[ENC] generating IKE_SA_INIT response > 0 [ N(INVAL_KE) ] Since you don't have the openssl plugin loaded ECP-256 is not supported by the server so it requests a different DH group. > Jun 29 01:33:15 irkalla charon: 04[NET] sending packet: from > 2.2.2.2[500] to 1.1.1.1[40108] (38 bytes) > Jun 29 01:33:17 irkalla charon: 08[NET] received packet: from > 1.1.1.1[40108] to 2.2.2.2[500] (732 bytes) > Jun 29 01:33:17 irkalla charon: 08[ENC] parsed IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ] > Jun 29 01:33:17 irkalla charon: 06[NET] received packet: from This is a retransmit of the original IKE_SA_INIT request (handling this fails again). > 1.1.1.1[40108] to 2.2.2.2[500] (924 bytes) > Jun 29 01:33:17 irkalla charon: 06[ENC] parsed IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N((16431)) N(REDIR_SUP) ] This is the request with the new DH group. > Jun 29 01:33:18 irkalla charon: 06[IKE] 1.1.1.1 is initiating an IKE_SA > Jun 29 01:33:18 irkalla charon: 06[IKE] remote host is behind NAT > Jun 29 01:33:18 irkalla charon: 06[ENC] generating IKE_SA_INIT response > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] > Jun 29 01:33:18 irkalla charon: 06[NET] sending packet: from > 2.2.2.2[500] to 1.1.1.1[40108] (440 bytes) After sending the IKE_SA_INIT response the client is expected to send an IKE_AUTH message. If it is too big it gets fragmented into several IP messages and some firewalls/routers might drop these. Since the server does not receive any IKE_AUTH messages it's likely that this happened. Try configuring `fragmentation=yes` on the server or select the correct CA certificate in the VPN profile on the client to avoid sending lots of certificate requests. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
