Hi Tobias, Thanks for your answer. The phone indicates the invalid value of SQN, see the logs below:
04-20 13:23:11.242 1000 5204 5247 I eris : 14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ] 04-20 13:23:11.242 1000 5204 5247 I eris : 14[DMN] simID : 0 04-20 13:23:11.316 1000 5204 5247 I eris : 14[LIB] rossoneri get_quintuplet() EC_USIM_SYNC_FAILED 04-20 13:23:11.316 1000 5204 5247 I eris : 14[LIB] rossoneri: resync() *04-20 13:23:11.316 1000 5204 5247 I eris : 14[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE* 04-20 13:23:11.317 1000 5204 5247 I eris : 14[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ] 04-20 13:23:11.317 1000 5204 5247 I eris : 14[NET] sending packet: from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes) 04-20 13:23:11.344 1000 5204 5257 I eris : 15[NET] received packet: from 192.168.137.194[4500] to 192.168.137.201[38316] (220 bytes) 04-20 13:23:11.344 1000 5204 5257 I eris : 15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/AKA ] 04-20 13:23:11.344 1000 5204 5257 I eris : 15[DMN] simID : 0 04-20 13:23:11.414 1000 5204 5257 I eris : 15[LIB] rossoneri get_quintuplet() EC_USIM_SYNC_FAILED 04-20 13:23:11.414 1000 5204 5257 I eris : 15[LIB] rossoneri: resync() 04-20 13:23:11.414 1000 5204 5257 I eris : 15[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE 04-20 13:23:11.415 1000 5204 5257 I eris : 15[ENC] generating IKE_AUTH request 4 [ EAP/RES/AKA ] 04-20 13:23:11.415 1000 5204 5257 I eris : 15[NET] sending packet: from 192.168.137.201[38316] to 192.168.137.194[4500] (92 bytes) 04-20 13:23:11.446 1000 5204 5247 I eris : 14[NET] received packet: from 192.168.137.194[4500] to 192.168.137.201[38316] (76 bytes) 04-20 13:23:11.446 1000 5204 5247 I eris : 14[ENC] parsed IKE_AUTH response 4 [ EAP/FAIL ] 04-20 13:23:11.447 1000 5204 5247 I eris : 14[IKE] received EAP_FAILURE, EAP authentication failed Unfortunately, I am not able to get more detailed logs. Regarding the plugin, I'm using eap-aka-3gpp, as it provides support for Milenage algorithm (the eap-aka-3gpp2 didn't work for me). Do you think that the EPDG (strongswan) have been resynchronized? And because of time-based SQN generation it generates the invalid SQN? How we could fix it potentially? Regards, Tomek śr., 24 kwi 2019 o 10:21 Tobias Brunner <[email protected]> napisał(a): > Hi Tomek, > > > However, the > > phone didn't accept the new AUTN and sent synchronization failure again. > > Does it report the reason why it does so? > > > Do you have any idea why the phone is sending the > > AKA_SYNCHRONIZATION_FAILURE? > > No. You should really check the logs there to see why it does. > > > In meanwhile, I was changing some > > configuration parameters to deal with another issue. Can this issue be > > caused by some configuration parameter? > > Maybe. Without knowing what you changed it's hard to tell. > > Which plugin are you using on the server? Because I noticed that the > eap-aka-3gpp2 plugin (as compared to the eap-aka-3gpp plugin) does not > increase SQN with each get_quintuplet() call, which seems like a bug. > However, that should not have an effect right after the resync as that > explicitly sets SQN to the supplied value + 1. And I also saw that both > plugins use a global, non-persistent and initially time-based SQN, which > might not work well with multiple clients (in particularly if they > connect concurrently and/or resync). So I guess these two plugins are > really only intended for testing. > > Regards, > Tobias >
