[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] deleting half open IKE_SA after timeout
From: Denis Zinevich <link () ngc ! net ! ua>
Date: 2015-02-28 21:35:14
Message-ID: 879911425159314 () web10g ! yandex ! ru
[Download RAW message or body]
Hello,
my previous suggestion was wrong. I've compared tcpdumps on working and non-working \
hosts again, and found that in broken case client continues to re-send this packed to \
server:
19:53:09.673551 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), \
length 1212) 93.74.135.165.4500 > 179.179.179.179.4500: [udp sum ok] NONESP-encap: \
isakmp 1.0 msgid 00000000 cookie 7c7f3d5d2c5f466b->5121f3fa3093c391: phase 1 I \
ident[E]: [encrypted id] 19:53:09.673935 IP (tos 0x0, ttl 64, id 28340, offset 0, \
flags [+], proto UDP (17), length 1500) 179.179.179.179.4500 > 93.74.135.165.4500: \
NONESP-encap: isakmp 1.0 msgid 00000000 cookie 7c7f3d5d2c5f466b->5121f3fa3093c391: \
phase 1 R ident[E]: [encrypted id] (len mismatch: isakmp 1660/ip 1468)
server is 179.179.179.179
I've checked network connectivity via netcat (udp, both ports - 500 and 4500) - no \
probelms. Unfortunatelly didn't manage to dump traffic on client side since it's \
mobile devices. Reproducable 100% times, tried 2 clients - iOS and Android. both can \
connect to other servers with same setings. Asked hoster about firewall/restrictions \
- they said nothing blocked. Checked freeradus - it never receives auth request from \
strongswan, so probably client auth message do not reach server. But since network \
connectivity looks fine I can't find any reason why Xauth packed should be lost. Is \
there anything special with Xauth that can be blocked by firewalls ? I understand \
that I can't blame strongswan here, that's still looks like network issue but I need \
some hints to understand how to further debug it.
27.02.2015, 17:05, "Denis Zinevich" <link@ngc.net.ua>:
> Hello Martin,
>
> same client connects to other servers successfully, with same credentials. After I \
> change server name - connection fails. and this happend only with one particular \
> server, so according to your explanation either client didn't get XAuth request or \
> server didn't get reply. I've just tried to compare tcpdumps from two machines \
> (good and bad ones) and thet look similar except one string (with šip-proto-17)
>
> Thanks for your help, looks like network issue, will digg in that direction.
>
> 27.02.2015, 16:50, "Martin Willi" <martin@strongswan.org>:
> > šHi Denis
> > > šš07[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> > > šš07[NET] sending packet: from 179.179.179.179[4500] to 46.211.133.122[39592] \
> > > (1660 bytes) šš07[ENC] generating TRANSACTION request 2234314252 [ HASH \
> > > CPRQ(X_USER X_PWD) ] šš07[NET] sending packet: from 179.179.179.179[4500] to \
> > > 46.211.133.122[39592] (76 bytes) šš10[IKE] sending retransmit 1 of request \
> > > message ID 2234314252, seq 1
> > šstrongSwan requests XAuth authentication from the client, but the client
> > šdoes not seem to answer. Either it does not get the message, the user is
> > šnot entering the credentials in time, or more likely, it does not expect
> > šan XAuth username/password request.
> >
> > šMost likely your client is not configured to do XAuth, or it is one of
> > šthose clients that want to skip XAuth authentication during the ISAKMP
> > šreauthentication procedure (iOS, OS X). We strictly require that, as we
> > šthink just skipping XAuth is a security issue.
> >
> > šRegards
> > šMartin
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic