I tried to use EAP with username/password in windows as you said, then I got almost the same log: Nov 8 18:42:29 13[NET] <8> received packet: from 183.131.17.162[370] to 47.90.13.129[500] (880 bytes) Nov 8 18:42:29 13[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Nov 8 18:42:29 13[IKE] <8> received MS NT5 ISAKMPOAKLEY v9 vendor ID Nov 8 18:42:29 13[IKE] <8> received MS-Negotiation Discovery Capable vendor ID Nov 8 18:42:29 13[IKE] <8> received Vid-Initial-Contact vendor ID Nov 8 18:42:29 13[ENC] <8> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Nov 8 18:42:29 13[IKE] <8> 183.131.17.162 is initiating an IKE_SA Nov 8 18:42:29 13[IKE] <8> remote host is behind NAT Nov 8 18:42:29 13[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Nov 8 18:42:29 13[NET] <8> sending packet: from 47.90.13.129[500] to 183.131.17.162[370] (312 bytes) Nov 8 18:42:30 12[NET] <8> received packet: from 183.131.17.162[370] to 47.90.13.129[500] (880 bytes) Nov 8 18:42:30 12[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Nov 8 18:42:30 12[IKE] <8> received retransmit of request with ID 0, retransmitting response Nov 8 18:42:30 12[NET] <8> sending packet: from 47.90.13.129[500] to 183.131.17.162[370] (312 bytes) Nov 8 18:42:31 09[NET] <8> received packet: from 183.131.17.162[370] to 47.90.13.129[500] (880 bytes) Nov 8 18:42:31 09[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Nov 8 18:42:31 09[IKE] <8> received retransmit of request with ID 0, retransmitting response Nov 8 18:42:31 09[NET] <8> sending packet: from 47.90.13.129[500] to 183.131.17.162[370] (312 bytes)
And I also tried using my iphone to connect to my vpn through with username/password in IPsec, then I got this log Nov 8 19:14:40 05[NET] <38> received packet: from 112.64.189.137[25840] to 47.90.13.129[500] (848 bytes) Nov 8 19:14:40 05[ENC] <38> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Nov 8 19:14:40 05[IKE] <38> received NAT-T (RFC 3947) vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-08 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-07 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-06 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-05 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-04 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-02 vendor ID Nov 8 19:14:40 05[IKE] <38> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 8 19:14:40 05[IKE] <38> received XAuth vendor ID Nov 8 19:14:40 05[IKE] <38> received Cisco Unity vendor ID Nov 8 19:14:40 05[IKE] <38> received FRAGMENTATION vendor ID Nov 8 19:14:40 05[IKE] <38> received DPD vendor ID Nov 8 19:14:40 05[IKE] <38> 112.64.189.137 is initiating a Main Mode IKE_SA Nov 8 19:14:40 05[ENC] <38> generating ID_PROT response 0 [ SA V V V V ] Nov 8 19:14:40 05[NET] <38> sending packet: from 47.90.13.129[500] to 112.64.189.137[25840] (160 bytes) Nov 8 19:14:43 06[NET] <38> received packet: from 112.64.189.137[25840] to 47.90.13.129[500] (848 bytes) Nov 8 19:14:43 06[IKE] <38> received retransmit of request with ID 0, retransmitting response Nov 8 19:14:43 06[NET] <38> sending packet: from 47.90.13.129[500] to 112.64.189.137[25840] (160 bytes) Nov 8 19:14:47 12[NET] <38> received packet: from 112.64.189.137[25840] to 47.90.13.129[500] (848 bytes) Nov 8 19:14:47 12[IKE] <38> received retransmit of request with ID 0, retransmitting response Nov 8 19:14:47 12[NET] <38> sending packet: from 47.90.13.129[500] to 112.64.189.137[25840] (160 bytes) At last I still do not know where the problem is. :( 2017-11-07 21:37 GMT+08:00 Tobias Brunner <[email protected]>: > Hi Joshua, > > > I got some problems about the configuration of strongswan, no matter > > how I configured the IKEv2 connection just couldn't establish. > > This doesn't look like a configuration issue but a network problem. The > client does not seem to receive the IKE_SA_INIT response sent by the > server (at least initially) and, therefore, retransmits the request a > couple of times. It seems to stop after two retransmits so it might > have received the response eventually. But since the server doesn't > receive an IKE_AUTH request it could mean that there is an IP > fragmentation issue (also check for errors on the client). If the > IKE_AUTH request gets too big (e.g. because of lots of certificate > requests or a large client certificate) it gets fragmented into multiple > IP packets and if some firewall/router between client and server drops > such fragments the server won't receive the full message. > As this seems to be a Windows client you might not have a lot of options > as Windows doesn't support IKEv2 fragmentation. If you use certificate > authentication for the client you could try to switch to EAP with > username/password (but it's possible that the server's IKE_AUTH response > will get fragmented too). Also see [1]. > > Regards, > Tobias > > [1] https://wiki.strongswan.org/issues/965#note-1 >
