[Swan-dev] iphone ios8 gets xauth request before isakmp is established
Paul Wouters
paul at nohats.ca
Tue Dec 16 00:44:38 EET 2014
On Fri, 12 Dec 2014, Wolfgang Nothdurft wrote:
> Dec 12 13:45:17 travelmate pluto[21810]: "android" #1: Mode Config message is
> unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> but gets the retransmitted packet ~30 seconds later
> Regarding the iphone log from my first mail, the iphone nesessionmanager
> closes the connection after 29 seconds.
> So I think the problem can also be solved, if the retransmit for the xauth
> password request were reduced to 10 or 20 seconds.
>
> snippet from ikev1_xauth.c (xauth_send_request):
>
> 795 event_schedule(EVENT_v1_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0 *
> 3,
> 796 st);
That looks much better compared to adding a sleep() :)
I've reduced this specific timeout to 1* EVENT_RETRANSMIT_DELAY_0 to
work around the issue now. In general, the retransmit/timeout behaviour
of libreswan will see some modernization in the next two months which
will also reduce all timeouts to modern day timings.
Paul
More information about the Swan-dev
mailing list