[Swan-dev] iphone ios8 gets xauth request before isakmp is established
Wolfgang Nothdurft
wolfgang at linogate.de
Tue Dec 9 14:33:55 EET 2014
Am 05.12.2014 um 16:49 schrieb Paul Wouters 🔓:
> On Fri, 5 Dec 2014, Wolfgang Nothdurft wrote:
>
>> A customer reported a problem with an iphone (IOS8) xauth connection
>> and libreswan 3.9.
>>
>> The same connection works from one net without problems, but if trying
>> from another net, the connection can't be established.
>>
>> After examine the log, the problem seems to be that the iphone get the
>> xauth login request before finishing phase one.
>>
>> Dec 5 13:10:58 iPad-von-roe racoon[455] <Error>: mode config 6 from
>> xxx.x.xx.xxx[4500], but ISAKMP-SA 23dc52d8e2241e77:1ce13e6f0962d19e
>> isn't established.
>> Dec 5 13:10:58 iPad-von-roe racoon[455] <Notice>: IPSec Phase 1
>> established (Initiated by me).
>>
>> See attached logs from both sides.
>>
>> A quick and dirty workaround was putting a delay before
>> xauth_send_request.
>>
>> See attached patch.
>>
>> I will try to tweak this parameter next week.
>>
>> Is this a known problem?
>
> We have seen related issues in the past with iphone on some carriers,
> but the problem went away. Is it possible to try with libreswan-3.12?
> There were some fixes related to helper and xauth states.
>
> Paul
>
Unfortunately 3.12 doesn't fix it.
I think it could be a problem with fragmentation, that would explain
that the last isakmp packet is arriving delayed.
I have tried to reproduce this on our net, but there seems to be no way
to force it. :(
I'm trying to get a tcpdump, which hopefully explains this behaviour.
On the other hand, I think a small coded delay doesn't hurt ;)
Wolfgang
More information about the Swan-dev
mailing list