Mobile - problems when renegotiating with Mac OS X
-
Hello there,
I've got some problems with renegotiation after 2880 seconds tunnel uptime.
My Mac always asks for an xauth authentification although the credentials are saved, this happens every 2880 seconds.
Lifetimes are 7200 for Phase 1 and 3600 for Phase 2.I tried many different settings, lifetimes, …
Following the output when renegotiating with OS X:
Jul 5 21:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->193.0.0.238[500] spi=104117483(0x634b4eb) Jul 5 21:58:27 racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->193.0.0.238[500] spi=125463337(0x77a6b29) Jul 5 21:58:27 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Jul 5 21:58:27 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Jul 5 21:58:27 racoon: INFO: Update the generated policy : 10.12.99.1/32[0] 10.12.0.0/23[0] proto=any dir=in Jul 5 21:58:27 racoon: [Self]: INFO: respond new phase 2 negotiation: 212.0.0.215[4500]<=>193.0.0.238[16071] Jul 5 21:58:14 racoon: INFO: login succeeded for user "christoph" Jul 5 21:58:14 racoon: user 'christoph' authenticated Jul 5 21:58:14 racoon: INFO: Using port 0 Jul 5 21:58:12 racoon: INFO: Released port 0 Jul 5 21:58:12 racoon: [Self]: INFO: ISAKMP-SA deleted 212.0.0.215[4500]-193.0.0.238[16071] spi:fb7ff395484dd830:72d17a184e79f316 Jul 5 21:58:12 racoon: INFO: purged ISAKMP-SA spi=fb7ff395484dd830:72d17a184e79f316:0000c3db. Jul 5 21:58:12 racoon: INFO: purging ISAKMP-SA spi=fb7ff395484dd830:72d17a184e79f316:0000c3db. Jul 5 21:58:07 racoon: [Self]: INFO: ISAKMP-SA established 212.0.0.215[4500]-193.0.0.238[16071] spi:b567033074ea7d5c:c30a90afb45228b4 Jul 5 21:58:07 racoon: INFO: Sending Xauth request Jul 5 21:58:07 racoon: INFO: NAT detected: PEER Jul 5 21:58:07 racoon: INFO: NAT-D payload #1 doesn't match Jul 5 21:58:07 racoon: [193.0.0.238] INFO: Hashing 193.0.0.238[16071] with algo #2 Jul 5 21:58:07 racoon: INFO: NAT-D payload #0 verified Jul 5 21:58:07 racoon: [Self]: [212.0.0.215] INFO: Hashing 212.0.0.215[4500] with algo #2 Jul 5 21:58:07 racoon: INFO: Adding xauth VID payload. Jul 5 21:58:07 racoon: [Self]: [212.0.0.215] INFO: Hashing 212.0.0.215[4500] with algo #2 Jul 5 21:58:07 racoon: [193.0.0.238] INFO: Hashing 193.0.0.238[16071] with algo #2 Jul 5 21:58:07 racoon: INFO: Adding remote and local NAT-D payloads. Jul 5 21:58:07 racoon: [193.0.0.238] INFO: Selected NAT-T version: RFC 3947 Jul 5 21:58:07 racoon: INFO: received Vendor ID: DPD Jul 5 21:58:07 racoon: INFO: received Vendor ID: CISCO-UNITY Jul 5 21:58:07 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Jul 5 21:58:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 [03-07] Jul 5 21:58:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Jul 5 21:58:07 racoon: INFO: received Vendor ID: RFC 3947 Jul 5 21:58:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Jul 5 21:58:07 racoon: INFO: begin Aggressive mode. Jul 5 21:58:07 racoon: [Self]: INFO: respond new phase 1 negotiation: 212.0.0.215[4500]<=>193.0.0.238[16071] Jul 5 21:52:05 racoon: INFO: renegotiating phase1 to 193.0.0.238 due to active phase2
The tunnel works flawlessly over days when connecting with Windows 8.1 + Shrew:
Jul 5 19:53:30 racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->62.0.0.106[500] spi=2966502201(0xb0d13b39) Jul 5 19:53:30 racoon: [Self]: INFO: IPsec-SA established: ESP 212.0.0.215[500]->62.0.0.106[500] spi=42409046(0x2871c56) Jul 5 19:53:30 racoon: WARNING: authtype mismatched: my:hmac-sha384 peer:hmac-sha512 Jul 5 19:53:30 racoon: WARNING: authtype mismatched: my:hmac-sha256 peer:hmac-sha512 Jul 5 19:53:30 racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-sha512 Jul 5 19:53:30 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Jul 5 19:53:30 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Jul 5 19:53:30 racoon: INFO: Update the generated policy : 10.12.99.1/32[0] 10.12.0.0/23[0] proto=any dir=in Jul 5 19:53:30 racoon: [Self]: INFO: respond new phase 2 negotiation: 212.0.0.215[4500]<=>62.0.0.106[10252]
Can you help me there?