viq <[email protected]> writes: > On 17-06-25 21:44:24, Tim Stewart wrote: >> Hi, >> >> In this message I've tried to encode everything I've done to allow >> strongSwan on Android to connect with iked, including the latest patch. >> I have also verified that it breaks neither initial negotiation nor >> Child SA rekeying for OpenBSD, Windows, and strongSwan (on Android) >> clients. > > This patch gets my android phone much closer to being able to negotiate > a connection, but there are still issues. Paraphrasing analysis mikeb > performed on IRC: > android sends incorrect (for us) group, and with this patch we now send > a failure message and android retries. But, we don't increment msgid > "because we did sa_free and restarted, so we can assume that android > thinks that negotiation continues, that's why it re-sends the > IKE_SA_INIT"
I'm glad it seems to help, though it's too bad that the patch doesn't work completely for you. I haven't really considered msgids--I'll do some more reading to see what I might be missing there. I do know that resending an IKE_SA_INIT message with a different DH group is correct, however, and this does work on my phone. For your reference, the first line of my strongSwan log tells me that I'm using strongSwan 5.5.3 and Android 7.1.1. I see that you forwarded the iked logs in a reply to this email. Is this the full log after a fresh iked startup with no existing SAs? Also, would it be possible to forward an anonymized config and the strongSwan logs so that I can compare to mine? (I can also post my logs, but I'll have to do it in the next day or two as I'm out of time for today.) Good luck! -TimS -- Tim Stewart ----------- Mail: [email protected] Matrix: @tim:stoo.org
