Hi Laurens, >>> openssl: >>> ... >>> DH:ECP_256 >>> ... >> >> Ah yes. It's because the default IKE proposal in versions before 5.4.0 >> listed ECP_256 after MODP_2048 and the server always preferred its own >> proposals (this can be changed with the upcoming 5.5.0 release). So it >> insists on using MODP_2048 even if it supports ECP_256. > > I can just ignore this for now?
Probably, I currently don't see how this could cause the problem (unless e.g. your NAT router does something strange). But you could also try to configure a different IKE proposal (one that lists ecp256 before modp2048). >>> I've added 'fragmentation=yes' to the server, same issue. >> >> Please have a look at the client log. Does it send an IKE_AUTH >> message? >> Is it fragmented? If so, check with Wireshark/tcpdump on the server >> whether any packets arrive. > > I can send log files from working & non working sessions. If you have server and client logs of a working and a non-working session that might help. The server log of a working session with the iPhone might be useful too. >>> and the Android phone (which almost always fails) >> >> What do you mean "almost always"? > > It works _sometimes_. From my point of view, there's nothing different > between when it works and when it doesn't work... What is strange here > is that using my iPhone on my home wifi always works. Using Android (I > have 2 Android different phones, same issue), this rarely works. That really sounds strange. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
