Issue #3035
Charon cannot read IKE SA INIT Response
Description
Hello,
We have a problem that Charon cannot read IKE SA INIT response sometimes.
From the attached packet log (packets from #5496 ~ #5568),
Device(192.168.23.197) send IKE_SA_INIT message and receive IKE_SA_INIT response form the network.
However, Charon cannot read this response message and retransmit IKE_SA_INIT continously
When we look the log, there is a different point when Charon cannot read IKE_SA_INIT response.
When Charon cannot read IKE_SA_INIT response, the IKE_SA INIT response message have 802.1Q Virtual LAN header
So, I have two questions.
1. Why charon cannot read IKE_SA_INIT response?
There are no problem for other packets.
2. 802.1Q Virtual LAN header can affect the issue that Charon cannot read IKE_SA_INIT response?
I have attached packet logs and below are analysis of the logs.
// Charon log that device cannot read IKE SA INIT response and retranmit IKE SA INIT request.
04-18 09:58:48.880 19922 19938 I charon : 14[ENC] [generate_message() 1737] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ] 04-18 09:58:48.880 19922 19938 I charon : 14[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes) 04-18 09:58:49.888 19922 19932 I charon : 08[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0 04-18 09:58:49.891 19922 19932 I charon : 08[IKE] [retransmit() 455] retransmit 1 of request with message ID 0 04-18 09:58:49.891 19922 19932 I charon : 08[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes) 04-18 09:58:51.893 19922 19925 I charon : 02[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0 04-18 09:58:51.896 19922 19925 I charon : 02[IKE] [retransmit() 455] retransmit 2 of request with message ID 0 04-18 09:58:51.897 19922 19925 I charon : 02[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes) 04-18 09:58:55.899 19922 19936 I charon : 12[KNL] [get_interface_name() 1272] 192.168.23.197 is on interface wlan0 04-18 09:58:55.901 19922 19936 I charon : 12[IKE] [retransmit() 455] retransmit 3 of request with message ID 0 04-18 09:58:55.901 19922 19936 I charon : 12[NET] [send_() 101] sending packet: from 192.168.23.197[32012] to 129.192.166.10[500] (524 bytes) 04-18 09:59:03.908 19922 19935 I charon : 11[IKE] [retransmit() 426] giving up after 3 retransmits 04-18 09:59:03.914 19922 19935 I charon : 11[IKE] [retransmit() 2585] establishing IKE_SA failed, peer not responding
// From the packet log, device received IKE_SA_INIT responses for requests.
5496 2019-04-19 01:58:48.880905 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request 5497 2019-04-19 01:58:48.945597 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response 5498 2019-04-19 01:58:49.892723 192.168.23.197 129.192.166.10 ISAKMP 568 IKE_SA_INIT MID=00 Initiator Request 5499 2019-04-19 01:58:49.954228 129.192.166.10 192.168.23.197 ISAKMP 505 IKE_SA_INIT MID=00 Responder Response ...
// When issue occurs, IKE_SA_INIT response have 802.1Q VLAN header
History
#1 Updated by Tobias Brunner over 6 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from High to Normal
1. Why charon cannot read IKE_SA_INIT response?
There are no problem for other packets.
Probably because it never received it (i.e. the kernel did not deliver it to the socket).
2. 802.1Q Virtual LAN header can affect the issue that Charon cannot read IKE_SA_INIT response?
Obviously, if the host is not actually part of that VLAN.
#2 Updated by Tobias Brunner over 6 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No feedback