[Swan-dev] IKE fragmentation and xauth
Wolfgang Nothdurft
wolfgang at linogate.de
Thu Jul 24 18:01:55 EEST 2014
Am 24.07.2014 16:04, schrieb Paul Wouters:
> On Thu, 24 Jul 2014, Wolfgang Nothdurft wrote:
>
>> I have actual a problem with one provider, an ipad, xauth and IKE frag.
>>
>> Unfortunately the umts provider seems to drop the certificate sent by
>> libreswan as reply to the client certificate which was sent properly
>> without ike fragmentation.
>>
>> see attached log.
>>
>> The problem is now that libreswan already changed to the state
>> STATE_XAUTH_R0 and can't handle a retransmit on duplicate.
>>
>> Sure, the simple way is to set ike-frag=force, but I would like
>> libreswan to do it automatically.
>>
>> I've tried different ways to modify the code to change the state back
>> to MAIN_R3, but without success.
>>
>> Is the actual behaviour a bug or is it impossible to switch back from
>> XAUTH_R0 to MAIN_R3 to resend the certificate?
>
> Am I correct in that you are asking that if we are in STATE_XAUTH_R0 and
> we are receiving a duplicate, we should attempt to go back to MAIN_R3
> and retry sending our previous packet in fragments (if ike_frag= is not
> "no")
>
yes :)
> Just going back to MAIN_R3 would not help.
>
> I wonder if we need a state-independant fallback mechanism where we can
> change a "retransmit" into a "fragment-then-retransmit" without
> flipflopping the state?
>
> Although this will be harder to do in the IKEv2 draft for fragmentation.
>
Without xauth, pluto stays at main mode an can retransmit on duplicate
packet.
With xauth he immediately changed to the xauth state and there is no way
back as you said.
So, the only solution would be to set ike_frag=force or to "force" the
provider to act correctly. ;)
Wolfgang
More information about the Swan-dev
mailing list