Issue #1210
sometime strongswan can not connected
Description
Hi guys,
I am install strongswan on android, and i find some time, i can't connnect to server in 15 minutes, below is the android log, can it be fixed?
11-14 06:18:41.105 I/charon ( 3378): 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability 11-14 06:18:41.125 I/charon ( 3378): 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac sock 11-14 06:18:41.125 I/charon ( 3378): 00[LIB] unable to load 9 plugin features (9 due to unmet dependencies) 11-14 06:18:41.125 I/charon ( 3378): 00[JOB] spawning 16 worker threads 11-14 06:18:41.476 I/charon ( 3378): 02[IKE] initiating IKE_SA android[5] to 160.16.241.200 11-14 06:18:41.606 I/charon ( 3378): 02[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 11-14 06:18:41.606 I/charon ( 3378): 02[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (996 bytes) 11-14 06:18:41.736 I/charon ( 3378): 12[NET] received packet: from 160.16.241.200[500] to 10.32.35.190[50236] (38 bytes) 11-14 06:18:41.736 I/charon ( 3378): 12[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 11-14 06:18:41.736 I/charon ( 3378): 12[IKE] peer didn't accept DH group MODP_2048, it requested MODP_1024 11-14 06:18:41.766 I/charon ( 3378): 12[IKE] initiating IKE_SA android[5] to 160.16.241.200 11-14 06:18:41.766 I/charon ( 3378): 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 11-14 06:18:41.766 I/charon ( 3378): 12[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) 11-14 06:18:43.608 I/charon ( 3378): 14[IKE] retransmit 1 of request with message ID 0 11-14 06:18:43.608 I/charon ( 3378): 14[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) 11-14 06:18:43.768 I/charon ( 3378): 15[IKE] retransmit 2 of request with message ID 0 11-14 06:18:43.768 I/charon ( 3378): 15[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) 11-14 06:18:46.410 I/charon ( 3378): 16[IKE] retransmit 3 of request with message ID 0 11-14 06:18:46.410 I/charon ( 3378): 16[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) 11-14 06:18:47.692 I/charon ( 3378): 03[IKE] giving up after 3 retransmits 11-14 06:18:47.692 I/charon ( 3378): 03[IKE] peer not responding, trying again (2/0) 11-14 06:18:47.712 I/charon ( 3378): 03[IKE] initiating IKE_SA android[5] to 160.16.241.200 11-14 06:18:47.722 I/charon ( 3378): 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 11-14 06:18:47.722 I/charon ( 3378): 03[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) 11-14 06:18:47.732 I/charon ( 3378): 01[IKE] destroying IKE_SA in state CONNECTING without notification
History
#1 Updated by Tobias Brunner almost 10 years ago
- Description updated (diff)
- Status changed from New to Feedback
Could be any number of things, e.g. a problem with your network connectivity, a firewall issue, the server ignoring packets for some reason, or someone on the link deliberately dropping packets. If you can, check on the server if it receives the packets and perhaps the response is dropped somewhere. Depending on the actual reason for this you might not be able to do much about it.
#2 Updated by Fred FENG almost 10 years ago
Tobias Brunner wrote:
Could be any number of things, e.g. a problem with your network connectivity, a firewall issue, the server ignoring packets for some reason, or someone on the link deliberately dropping packets. If you can, check on the server if it receives the packets and perhaps the response is dropped somewhere. Depending on the actual reason for this you might not be able to do much about it.
Hi Tobias, I'm Jiang Dongbin's colleague. I have more questions to consult you and all developers. :)
The Line 7 and 8 show that the server is reachable.
Line 7: 11-14 06:18:41.606 I/charon ( 3378): 02[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (996 bytes) Line 8: 11-14 06:18:41.736 I/charon ( 3378): 12[NET] received packet: from 160.16.241.200[500] to 10.32.35.190[50236] (38 bytes)
Could you tell me what do the line 7 and 8 represent? Only showing the server can ping successfully?
The Line 13 and 14 show that the packet is sent but dropped.
Line 13: 11-14 06:18:41.766 I/charon ( 3378): 12[NET] sending packet: from 10.32.35.190[50236] to 160.16.241.200[500] (868 bytes) Line 14: 11-14 06:18:43.608 I/charon ( 3378): 14[IKE] retransmit 1 of request with message ID 0
Could you tell me what kind of packet is sent in Line 13? We are not familiar with the details of IKEv2 and strongswan. I guess strongswan is trying to establish secure connection and open or connect specific ports, which is sniffed by the firewall and blocked...
I setup six profiles from three different VPN providers. When one profile cannot be connected, all other profiles cannot be connected either. However, after 15 minutes or so, or rebooting the mobile phone, or changing the IP address (turn on and off the airplane mode or data connection), all profiles can be connected.
Thanks. :)
#3 Updated by Tobias Brunner almost 10 years ago
Could you tell me what do the line 7 and 8 represent? Only showing the server can ping successfully?
No, this is the first message in the IKEv2 connection (IKE_SA_INIT), which you can seen on line 6 and 9. The client chooses a DH group (2048 bit) that the server doesn't select so it sends back an INVALID_KE_PAYLOAD notify and the client has to restart the initiation with the weaker DH group selected by the server (1024 bit). For the changed IKE_SA_INIT message sent on line 13 (and its retransmits) no response is received. Can't tell more than that based on this log. You need to look at the server log to see if these packets are received and perhaps the response is dropped. Or try to capture traffic to see more about the traffic flow. If the server is managed by you try configuring modp2048 as DH group so there is no retry necessary.
I setup six profiles from three different VPN providers. When one profile cannot be connected, all other profiles cannot be connected either. However, after 15 minutes or so, or rebooting the mobile phone, or changing the IP address (turn on and off the airplane mode or data connection), all profiles can be connected.
Sounds strange, but indicates that it is a problem near to or on the client. Maybe the device has a hardware or network issue. Or maybe someone near to the client (e.g. the ISP) is actively interfering with the IKE packets.
#4 Updated by Fred FENG almost 10 years ago
Tobias Brunner wrote:
Could you tell me what do the line 7 and 8 represent? Only showing the server can ping successfully?
No, this is the first message in the IKEv2 connection (IKE_SA_INIT), which you can seen on line 6 and 9. The client chooses a DH group (2048 bit) that the server doesn't select so it sends back an INVALID_KE_PAYLOAD notify and the client has to restart the initiation with the weaker DH group selected by the server (1024 bit). For the changed IKE_SA_INIT message sent on line 13 (and its retransmits) no response is received. Can't tell more than that based on this log. You need to look at the server log to see if these packets are received and perhaps the response is dropped. Or try to capture traffic to see more about the traffic flow. If the server is managed by you try configuring modp2048 as DH group so there is no retry necessary.
I setup six profiles from three different VPN providers. When one profile cannot be connected, all other profiles cannot be connected either. However, after 15 minutes or so, or rebooting the mobile phone, or changing the IP address (turn on and off the airplane mode or data connection), all profiles can be connected.
Sounds strange, but indicates that it is a problem near to or on the client. Maybe the device has a hardware or network issue. Or maybe someone near to the client (e.g. the ISP) is actively interfering with the IKE packets.
Thanks. One more question: are these data encrypted during the transmission in the log?
#5 Updated by Tobias Brunner almost 10 years ago
Thanks. One more question: are these data encrypted during the transmission in the log?
No, the IKE_SA_INIT message is not yet encrypted.
#6 Updated by Tobias Brunner almost 10 years ago
- Category set to android
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required