[Swan-dev] iphone ios8 gets xauth request before isakmp is established
Wolfgang Nothdurft
wolfgang at linogate.de
Tue Dec 16 16:46:06 EET 2014
Am 15.12.2014 um 23:44 schrieb Paul Wouters:
> On Fri, 12 Dec 2014, Wolfgang Nothdurft wrote:
>
>> Dec 12 13:45:17 travelmate pluto[21810]: "android" #1: Mode Config
>> message is unacceptable because it is for an incomplete ISAKMP SA
>> (state=STATE_MAIN_I3)
>
>> but gets the retransmitted packet ~30 seconds later
>
>> Regarding the iphone log from my first mail, the iphone
>> nesessionmanager closes the connection after 29 seconds.
>
>> So I think the problem can also be solved, if the retransmit for the
>> xauth password request were reduced to 10 or 20 seconds.
>>
>> snippet from ikev1_xauth.c (xauth_send_request):
>>
>> 795 event_schedule(EVENT_v1_RETRANSMIT,
>> EVENT_RETRANSMIT_DELAY_0 * 3,
>> 796 st);
>
> That looks much better compared to adding a sleep() :)
>
> I've reduced this specific timeout to 1* EVENT_RETRANSMIT_DELAY_0 to
> work around the issue now. In general, the retransmit/timeout behaviour
> of libreswan will see some modernization in the next two months which
> will also reduce all timeouts to modern day timings.
>
> Paul
>
The IPhone works with this change, but the customer criticized that it
now take ages (15 seconds) to connect. ;)
Testing an Android shows the same behaviour, unfortunately doesn't work
with this fix. (see attached log).
I think a small delay for the first xauth request is needed anyway.
Wolfgang
-------------- next part --------------
D/racoon (11964): Waiting for control socket
D/racoon (11964): Received 11 arguments
I/racoon (11964): ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
I/racoon (11964): 10.149.211.155[500] used as isakmp port (fd=10)
I/racoon (11964): 10.149.211.155[500] used for NAT-T
I/racoon (11964): 10.149.211.155[4500] used as isakmp port (fd=11)
I/racoon (11964): 10.149.211.155[4500] used for NAT-T
I/racoon (11964): initiate new phase 1 negotiation: 10.149.211.155[500]<=>213.179.141.14[500]
I/racoon (11964): begin Identity Protection mode.
I/racoon (11964): received Vendor ID: DPD
I/racoon (11964): received Vendor ID: FRAGMENTATION
I/racoon (11964): received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
I/racoon (11964): received Vendor ID: RFC 3947
I/racoon (11964): Selected NAT-T version: RFC 3947
I/racoon (11964): Hashing 213.179.141.14[500] with algo #2
I/racoon (11964): Hashing 10.149.211.155[500] with algo #2
I/racoon (11964): Adding remote and local NAT-D payloads.
I/racoon (11964): Hashing 10.149.211.155[500] with algo #2
I/racoon (11964): NAT-D payload #0 doesn't match
I/racoon (11964): Hashing 213.179.141.14[500] with algo #2
I/racoon (11964): NAT-D payload #1 verified
I/racoon (11964): NAT detected: ME
I/racoon (11964): KA list add: 10.149.211.155[4500]->213.179.141.14[4500]
W/racoon (11964): Short payload
W/racoon (11964): unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=Bayern/L=Augsburg/O=Linogate GmbH/CN=vpnserver/emailAddress=support at linogate.com
W/racoon (11964): unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=Bayern/L=Augsburg/O=Linogate GmbH/CN=CA/emailAddress=support at linogate.com
I/racoon (11964): ISAKMP-SA established 10.149.211.155[4500]-213.179.141.14[4500] spi:8c5e656ece6bc283:1cdf804c11d64ee0
W/racoon (11964): Short payload
W/racoon (11964): Short payload
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
I/racoon (11964): ISAKMP-SA expired 10.149.211.155[4500]-213.179.141.14[4500] spi:8c5e656ece6bc283:1cdf804c11d64ee0
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
E/racoon (11964): unknown Informational exchange received.
I/racoon (11964): ISAKMP-SA deleted 10.149.211.155[4500]-213.179.141.14[4500] spi:8c5e656ece6bc283:1cdf804c11d64ee0
I/racoon (11964): Bye
I/LegacyVpnRunner( 504): java.lang.IllegalStateException: racoon is dead
-------------- next part --------------
D/racoon (12587): Waiting for control socket
D/racoon (12587): Received 11 arguments
I/racoon (12587): ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
I/racoon (12587): 10.149.211.155[500] used as isakmp port (fd=10)
I/racoon (12587): 10.149.211.155[500] used for NAT-T
I/racoon (12587): 10.149.211.155[4500] used as isakmp port (fd=11)
I/racoon (12587): 10.149.211.155[4500] used for NAT-T
I/racoon (12587): initiate new phase 1 negotiation: 10.149.211.155[500]<=>213.179.141.14[500]
I/racoon (12587): begin Identity Protection mode.
I/racoon (12587): received Vendor ID: DPD
I/racoon (12587): received Vendor ID: FRAGMENTATION
I/racoon (12587): received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
I/racoon (12587): received Vendor ID: RFC 3947
I/racoon (12587): Selected NAT-T version: RFC 3947
I/racoon (12587): Hashing 213.179.141.14[500] with algo #2
I/racoon (12587): Hashing 10.149.211.155[500] with algo #2
I/racoon (12587): Adding remote and local NAT-D payloads.
I/racoon (12587): Hashing 10.149.211.155[500] with algo #2
I/racoon (12587): NAT-D payload #0 doesn't match
I/racoon (12587): Hashing 213.179.141.14[500] with algo #2
I/racoon (12587): NAT-D payload #1 verified
I/racoon (12587): NAT detected: ME
I/racoon (12587): KA list add: 10.149.211.155[4500]->213.179.141.14[4500]
W/racoon (12587): unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=Bayern/L=Augsburg/O=Linogate GmbH/CN=vpnserver/emailAddress=support at linogate.com
W/racoon (12587): unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=Bayern/L=Augsburg/O=Linogate GmbH/CN=CA/emailAddress=support at linogate.com
I/racoon (12587): ISAKMP-SA established 10.149.211.155[4500]-213.179.141.14[4500] spi:9f751de210fdc37e:7cca126a5c50bcdf
I/racoon (12587): initiate new phase 2 negotiation: 10.149.211.155[4500]<=>213.179.141.14[4500]
I/racoon (12587): NAT detected -> UDP encapsulation (ENC_MODE 1->3).
I/racoon (12587): Adjusting my encmode UDP-Tunnel->Tunnel
I/racoon (12587): Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
I/racoon (12587): IPsec-SA established: ESP/Tunnel 213.179.141.14[0]->10.149.211.155[0] spi=249478804(0xedebe94)
I/racoon (12587): IPsec-SA established: ESP/Tunnel 10.149.211.155[4500]->213.179.141.14[4500] spi=1764948918(0x6932fbb6)
More information about the Swan-dev
mailing list