[Swan-dev] IKE fragmentation and xauth
Wolfgang Nothdurft
wolfgang at linogate.de
Thu Jul 24 16:30:52 EEST 2014
I have actual a problem with one provider, an ipad, xauth and IKE frag.
Unfortunately the umts provider seems to drop the certificate sent by
libreswan as reply to the client certificate which was sent properly
without ike fragmentation.
see attached log.
The problem is now that libreswan already changed to the state
STATE_XAUTH_R0 and can't handle a retransmit on duplicate.
Sure, the simple way is to set ike-frag=force, but I would like
libreswan to do it automatically.
I've tried different ways to modify the code to change the state back to
MAIN_R3, but without success.
Is the actual behaviour a bug or is it impossible to switch back from
XAUTH_R0 to MAIN_R3 to resend the certificate?
Wolfgang
-------------- next part --------------
Jul 22 13:53:28 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: I am sending my cert
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_256 prf=sha group=MODP1536}
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: Dead Peer Detection (RFC 3706): enabled
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: XAUTH: Sending XAUTH Login/Password Request
Jul 22 13:53:29 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: XAUTH: Sending Username/Password request (XAUTH_R0)
Jul 22 13:53:32 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: discarding duplicate packet; already STATE_XAUTH_R0
Jul 22 13:53:35 riab pluto[8167]: "xauth_0-XAUTH_sn-sn_0.0.0.0_0-0.0.0.0_0"[2] xxx.xxx.xxx.xxx #16: discarding duplicate packet; already STATE_XAUTH_R0
More information about the Swan-dev
mailing list