[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

Tue Jul 1 03:29:59 EEST 2014

Hi,

I did setup Openswan following tutorial
https://help.ubuntu.com/community/L2TPServer. This configuration already
includes Dead Peer Detection for iOS by adding these 3 lines:

    # Apple iOS doesn't send delete notify so we need dead peer
detection    # to detect vanishing clients    dpddelay=30
dpdtimeout=120    dpdaction=clear

It works well for Android devices and laptops connecting to VPN, but for
iOS works weird.
Sometimes I can disconnect and reconnect several times, but at some point
it's impossible and the VPN needs to be restarted.

I did some debugging on the Auth.log and all connections reach the point

[auth.log]
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0c2270ad
<0xba26054a xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=X.Y.Z.W:63445
DPD=enabled}
[/auth.log]

Even connections coming from iOS devices reach to that point.

The problem:
-------------------

I collected traffic and analyzed using Wireshark to understand the problem.
At the beginning there is an exchange of keys through ISAKMP, after that
there is encrypted communication between VPN server and device.

On successful communications I noticed that the device sends the first ESP
message with Sequence number 1. Then the VPN server will communicate also
with this sequence number.

On failing communications the iOS device sends the first ESP message with
sequence number 1, but server replies ESP with with a wrong ESP sequence
number. As response to the wrong sequence number, the device replies ICMP
destination unreachable (port unreachable) messages back to the server. The
payload of ICMP messages are the "corrupted" ESP messages coming from
server.
The server does not update the sequence number and after some tries the iOS
device sends Delete SA payload to server and closes communication.
On the other side iOS displays that the server in not reachable or it's not
up.

---------------------

I noticed that many people have a similar issue with iOS, but I couldn't
find any proper answer or a way to solve this.

Is this a normal behavior of the VPN server? If it is, is there any
possible way to patch the server or set the right configuration in order to
reply with the sequence numbers required by iOS devices?

Thank you!
Ignacio.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140630/a3c5d059/attachment.html>