[Swan-dev] IKE fragmentation and xauth

[Wolfgang Nothdurft]

I have actual a problem with one provider, an ipad, xauth and IKE frag.

Unfortunately the umts provider seems to drop the certificate sent by 
libreswan as reply to the client certificate which was sent properly 
without ike fragmentation.

see attached log.

The problem is now that libreswan already changed to the state 
STATE_XAUTH_R0 and can't handle a retransmit on duplicate.

Sure, the simple way is to set ike-frag=force, but I would like 
libreswan to do it automatically.

I've tried different ways to modify the code to change the state back to 
MAIN_R3, but without success.

Is the actual behaviour a bug or is it impossible to switch back from 
XAUTH_R0 to MAIN_R3 to resend the certificate?

Wolfgang
-------------- next part --------------
Jul 22 13:53:28 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: I am sending my cert
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_256 prf=sha group=MODP1536}
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: Dead Peer Detection (RFC 3706): enabled
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: XAUTH: Sending XAUTH Login/Password Request
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: XAUTH: Sending Username/Password request (XAUTH_R0)
Jul 22 13:53:32 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: discarding duplicate packet; already STATE_XAUTH_R0
Jul 22 13:53:35 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: discarding duplicate packet; already STATE_XAUTH_R0