[Swan-dev] iphone ios8 gets xauth request before isakmp is established

Paul Wouters paul at nohats.ca
Tue Dec 16 00:44:38 EET 2014


On Fri, 12 Dec 2014, Wolfgang Nothdurft wrote:

> Dec 12 13:45:17 travelmate pluto[21810]: "android" #1: Mode Config message is 
> unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3)

> but gets the retransmitted packet ~30 seconds later

> Regarding the iphone log from my first mail, the iphone nesessionmanager 
> closes the connection after 29 seconds.

> So I think the problem can also be solved, if the retransmit for the xauth 
> password request were reduced to 10 or 20 seconds.
>
> snippet from ikev1_xauth.c (xauth_send_request):
>
> 795         event_schedule(EVENT_v1_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0 * 
> 3,
> 796                    st);

That looks much better compared to adding a sleep() :)

I've reduced this specific timeout to 1* EVENT_RETRANSMIT_DELAY_0 to
work around the issue now. In general, the retransmit/timeout behaviour
of libreswan will see some modernization in the next two months which
will also reduce all timeouts to modern day timings.

Paul


More information about the Swan-dev mailing list