[Swan] IKEv2 connection from Android drops after a few minutes

Beat Zahnd beat.zahnd at gmail.com
Thu Mar 12 22:53:20 UTC 2020


> Then the client should not use its IP address as IKE ID, but use the certificate DN.

Not really understood. Is this what the client cert has as SAN or what is in the cert "subject"?


> So that looks like the strongswan bug doing SHA1 for RFC7427 connections that RFC 8472 says should never use SHA1 and which libreswan didn’t advertise 😕

Will address this later...
> 
>> But still not a single nat-t keepalive from the server...
> 
> That is very strange.....

I see the state changes:

Mar 12 23:41:45 core pluto[7216]: "xauth-rsa"[4] 178.197.235.21 #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x42150261 <0x5641a65b xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.235.21:51702 DPD=active}
Mar 12 23:41:45 core pluto[7216]: | dpd enabled, scheduling ikev2 liveness checks
Mar 12 23:41:45 core pluto[7216]: | processing: stop state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in schedule_event_now_cb() at server.c:561)
Mar 12 23:42:45 core pluto[7216]: | processing: start state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:316)
Mar 12 23:42:45 core pluto[7216]: | processing: [RE]START state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at timer.c:112)
Mar 12 23:42:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is ok schedule new
Mar 12 23:42:45 core pluto[7216]: | processing: stop state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:657)
Mar 12 23:43:08 core pluto[7216]: | processing: start state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: stop state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: start state #3 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: stop state #3 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at state.c:1600)
Mar 12 23:43:45 core pluto[7216]: | processing: start state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:316)
Mar 12 23:43:45 core pluto[7216]: | processing: [RE]START state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at timer.c:112)
Mar 12 23:43:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is ok schedule new
Mar 12 23:43:45 core pluto[7216]: | processing: stop state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:657)
Mar 12 23:44:45 core pluto[7216]: | processing: start state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:316)
Mar 12 23:44:45 core pluto[7216]: | processing: [RE]START state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at timer.c:112)
Mar 12 23:44:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is ok schedule new
Mar 12 23:44:45 core pluto[7216]: | processing: stop state #4 connection "xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at timer.c:657)

shall I add some debug code somewhere?


More information about the Swan mailing list