[Swan-dev] iphone ios8 gets xauth request before isakmp is established
Paul Wouters 🔓
paul at nohats.ca
Fri Dec 5 17:49:15 EET 2014
On Fri, 5 Dec 2014, Wolfgang Nothdurft wrote:
> A customer reported a problem with an iphone (IOS8) xauth connection and
> libreswan 3.9.
>
> The same connection works from one net without problems, but if trying from
> another net, the connection can't be established.
>
> After examine the log, the problem seems to be that the iphone get the xauth
> login request before finishing phase one.
>
> Dec 5 13:10:58 iPad-von-roe racoon[455] <Error>: mode config 6 from
> xxx.x.xx.xxx[4500], but ISAKMP-SA 23dc52d8e2241e77:1ce13e6f0962d19e isn't
> established.
> Dec 5 13:10:58 iPad-von-roe racoon[455] <Notice>: IPSec Phase 1 established
> (Initiated by me).
>
> See attached logs from both sides.
>
> A quick and dirty workaround was putting a delay before xauth_send_request.
>
> See attached patch.
>
> I will try to tweak this parameter next week.
>
> Is this a known problem?
We have seen related issues in the past with iphone on some carriers,
but the problem went away. Is it possible to try with libreswan-3.12?
There were some fixes related to helper and xauth states.
Paul
More information about the Swan-dev
mailing list