[Swan-dev] iphone ios8 gets xauth request before isakmp is established
Paul Wouters
paul at nohats.ca
Tue Dec 9 18:33:18 EET 2014
On Fri, 5 Dec 2014, Wolfgang Nothdurft wrote:
[Wolfgang confirmed this still happens with 3.12]
> The same connection works from one net without problems, but if trying from
> another net, the connection can't be established.
>
> After examine the log, the problem seems to be that the iphone get the xauth
> login request before finishing phase one.
Must be related to packet size? I thought telco's did in-order delivery :P
> Dec 5 13:10:58 iPad-von-roe racoon[455] <Error>: mode config 6 from
> xxx.x.xx.xxx[4500], but ISAKMP-SA 23dc52d8e2241e77:1ce13e6f0962d19e isn't
> established.
> Dec 5 13:10:58 iPad-von-roe racoon[455] <Notice>: IPSec Phase 1 established
> (Initiated by me).
>
> See attached logs from both sides.
>
> A quick and dirty workaround was putting a delay before xauth_send_request.
>
> See attached patch.
I guess ideally, this should be scheduled as a new EVENT .5 seconds in
the future. That way pluto does not mindlessly block. Currently we only
allow 1s precicion, so it would be 1s. And we would need a new state
for this and a state machine entry.
Paul
More information about the Swan-dev
mailing list