[Swan-dev] IKE fragmentation and xauth
Paul Wouters
paul at nohats.ca
Thu Jul 24 17:04:11 EEST 2014
On Thu, 24 Jul 2014, Wolfgang Nothdurft wrote:
> I have actual a problem with one provider, an ipad, xauth and IKE frag.
>
> Unfortunately the umts provider seems to drop the certificate sent by
> libreswan as reply to the client certificate which was sent properly without
> ike fragmentation.
>
> see attached log.
>
> The problem is now that libreswan already changed to the state STATE_XAUTH_R0
> and can't handle a retransmit on duplicate.
>
> Sure, the simple way is to set ike-frag=force, but I would like libreswan to
> do it automatically.
>
> I've tried different ways to modify the code to change the state back to
> MAIN_R3, but without success.
>
> Is the actual behaviour a bug or is it impossible to switch back from
> XAUTH_R0 to MAIN_R3 to resend the certificate?
Am I correct in that you are asking that if we are in STATE_XAUTH_R0 and
we are receiving a duplicate, we should attempt to go back to MAIN_R3
and retry sending our previous packet in fragments (if ike_frag= is not
"no")
Just going back to MAIN_R3 would not help.
I wonder if we need a state-independant fallback mechanism where we can
change a "retransmit" into a "fragment-then-retransmit" without
flipflopping the state?
Although this will be harder to do in the IKEv2 draft for fragmentation.
Paul
More information about the Swan-dev
mailing list