IPSec tunnel gets established but then drops after 15 seconds



  • I'm pulling out what little hair I have left, and I just cannot find a reason for some IPSec tunnels to my mobile clients (specifically iPhones) cannot remain established. I have a windows 7 client that can connect and pass traffic just fine, but the iPhones drop for some reason without any errors in the log.

    I am aware that the log below says "No proposals found" but that's a strange one since earlier it WAS using that exact same proposal. This all started when I was changing the login banner on the VPN and when I clicked "Save" all the iPhones dropped their connections and since then not a one can connect. Thoughts? Did changing my banner do something REALLY strange to my config?

    Mar 16 11:32:30 	charon 		10[CFG] <con1|2>lease 192.168.71.1 by 'XakEp' went offline
    Mar 16 11:32:30 	charon 		10[IKE] <con1|2>deleting IKE_SA con1[2] between 209.248.106.168[209.248.106.168]...192.168.1.108[xxxx]
    Mar 16 11:32:30 	charon 		10[IKE] <con1|2>received DELETE for IKE_SA con1[2]
    Mar 16 11:32:30 	charon 		10[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2702839268 [ HASH D ]
    Mar 16 11:32:30 	charon 		10[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (84 bytes)
    Mar 16 11:32:24 	charon 		10[ENC] <con1|2>parsed INFORMATIONAL_V1 request 1195058960 [ HASH N(DPD_ACK) ]
    Mar 16 11:32:24 	charon 		10[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (92 bytes)
    Mar 16 11:32:24 	charon 		07[NET] <con1|2>sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (92 bytes)
    Mar 16 11:32:24 	charon 		07[ENC] <con1|2>generating INFORMATIONAL_V1 request 697883926 [ HASH N(DPD) ]
    Mar 16 11:32:24 	charon 		07[IKE] <con1|2>sending DPD request
    Mar 16 11:32:14 	charon 		07[NET] <con1|2>sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (268 bytes)
    Mar 16 11:32:14 	charon 		07[ENC] <con1|2>generating TRANSACTION response 2642107229 [ HASH CPRP(ADDR DNS SUBNET U_SPLITINC U_DEFDOM U_SPLITDNS U_BANNER U_BANNER U_SAVEPWD) ]
    Mar 16 11:32:14 	charon 		07[IKE] <con1|2>assigning virtual IP 192.168.71.1 to peer 'xxxxxxx'
    Mar 16 11:32:14 	charon 		07[CFG] <con1|2>assigning new lease to 'xxxxxxx'
    Mar 16 11:32:14 	charon 		07[IKE] <con1|2>peer requested virtual IP %any
    Mar 16 11:32:14 	charon 		07[ENC] <con1|2>parsed TRANSACTION request 2642107229 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
    Mar 16 11:32:14 	charon 		07[ENC] <con1|2>unknown attribute type (28683)
    Mar 16 11:32:14 	charon 		07[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (172 bytes)
    Mar 16 11:32:14 	charon 		15[IKE] <con1|2>maximum IKE_SA lifetime 85954s
    Mar 16 11:32:14 	charon 		15[IKE] <con1|2>scheduling rekeying in 85414s
    Mar 16 11:32:14 	charon 		15[IKE] <con1|2>IKE_SA con1[2] established between 209.248.106.168[209.248.106.168]...192.168.1.108[xxxxxxx ]
    Mar 16 11:32:14 	charon 		15[ENC] <con1|2>parsed TRANSACTION response 2387291869 [ HASH CPA(X_STATUS) ]
    Mar 16 11:32:14 	charon 		15[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (68 bytes)
    Mar 16 11:32:14 	charon 		15[NET] <con1|2>sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (68 bytes)
    Mar 16 11:32:14 	charon 		15[ENC] <con1|2>generating TRANSACTION request 2387291869 [ HASH CPS(X_STATUS) ]
    Mar 16 11:32:14 	charon 		15[IKE] <con1|2>XAuth authentication of 'xxxxxxx' successful
    Mar 16 11:32:14 	charon 		15[IKE] <con1|2>XAuth-SCRIPT succeeded for user 'xxxxxxx'.
    Mar 16 11:32:14 	charon 		user 'XakEp' authenticated
    Mar 16 11:32:13 	charon 		15[ENC] <con1|2>parsed TRANSACTION response 2049647219 [ HASH CPRP(X_USER X_PWD) ]
    Mar 16 11:32:13 	charon 		15[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (84 bytes)
    Mar 16 11:32:13 	charon 		15[ENC] <con1|2>parsed INFORMATIONAL_V1 request 2481838577 [ HASH N(INITIAL_CONTACT) ]
    Mar 16 11:32:13 	charon 		15[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (84 bytes)
    Mar 16 11:32:13 	charon 		15[NET] <con1|2>sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (76 bytes)
    Mar 16 11:32:13 	charon 		15[ENC] <con1|2>generating TRANSACTION request 2049647219 [ HASH CPRQ(X_USER X_PWD) ]
    Mar 16 11:32:13 	charon 		15[ENC] <con1|2>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
    Mar 16 11:32:13 	charon 		15[NET] <con1|2>received packet: from 192.168.1.108[500] to 209.248.106.168[500] (100 bytes)
    Mar 16 11:32:13 	charon 		15[NET] <con1|2>sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (408 bytes)
    Mar 16 11:32:13 	charon 		15[ENC] <con1|2>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Mar 16 11:32:13 	charon 		15[CFG] <2> selected peer config "con1"
    Mar 16 11:32:13 	charon 		15[CFG] <2> looking for XAuthInitPSK peer configs matching 209.248.106.168...192.168.1.108[xxxxxxx ]
    Mar 16 11:32:13 	charon 		15[IKE] <2> 192.168.1.108 is initiating a Aggressive Mode IKE_SA
    Mar 16 11:32:13 	charon 		15[IKE] <2> received DPD vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received Cisco Unity vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received XAuth vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received NAT-T (RFC 3947) vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <2> received FRAGMENTATION vendor ID
    Mar 16 11:32:13 	charon 		15[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 16 11:32:13 	charon 		15[NET] <2> received packet: from 192.168.1.108[500] to 209.248.106.168[500] (779 bytes)
    Mar 16 11:32:13 	charon 		15[NET] <1> sending packet: from 209.248.106.168[500] to 192.168.1.108[500] (56 bytes)
    Mar 16 11:32:13 	charon 		15[ENC] <1> generating INFORMATIONAL_V1 request 1979175892 [ N(NO_PROP) ]
    Mar 16 11:32:13 	charon 		15[IKE] <1> no proposal found
    Mar 16 11:32:13 	charon 		15[CFG] <1> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 16 11:32:13 	charon 		15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Mar 16 11:32:13 	charon 		15[IKE] <1> 192.168.1.108 is initiating a Aggressive Mode IKE_SA
    Mar 16 11:32:13 	charon 		15[IKE] <1> received DPD vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received Cisco Unity vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received XAuth vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Mar 16 11:32:13 	charon 		15[IKE] <1> received FRAGMENTATION vendor ID
    Mar 16 11:32:13 	charon 		15[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Mar 16 11:32:13 	charon 		15[NET] <1> received packet: from 192.168.1.108[500] to 209.248.106.168[500] (779 bytes)</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2> 
    

Log in to reply