[strongSwan] IPv6 IKEv2 Road Warrior Connection issues

Martin Willi martin at strongswan.org
Mon Oct 6 13:15:37 CEST 2014


Hi,

> Win7 PC --> MiFi (Verizon Wireless) IPv6 --> SoftlayerIPV6 --> VPS.

>         authby=xauthrsasig
>         xauth=server
>         keyexchange=ikev2

IKEv2 with XAuth makes really no sense. If you want to connect Windows 7
clients with username/password, you probably want EAP-MSCHAPv2. Refer to
[1] for details.

> :RSA /usr/local/etc/ipsec.d/private/strongswanKey.pem "passwd1"
> :XAUTH user "!passwd2"

That doesn't look valid, either. Refer to the ipsec.secrets manpage for
syntax details, [1] has an example as well.

> 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> 08[NET] sending packet: from serveripv61[500] to clientipv61[500] (333 bytes)
> 09[NET] received packet: from clientipv61[500] to serveripv61[500] (528 bytes)
> 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 09[IKE] received retransmit of request with ID 0, retransmitting response

Your client seems to retransmit the IKE_SA_INIT request, most likely
because it doesn't get the response message. Possible that it gets lost
on the path; a packet sniffer can help to see where it gets lost. As
fragmentation is very unlikely for that message, this might be related
to a firewall rule somewhere on your path.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig



More information about the Users mailing list