[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

[Paul Wouters]

On Mon, 30 Jun 2014, Ignacio Bermudez wrote:

> Subject: [Swan] ESP wrong sequence with iOS,
>     L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

So I think you are using openswan, but let me know if you are not.

> On successful communications I noticed that the device sends the first ESP message with Sequence number 1. Then
> the VPN server will communicate also with this sequence number.
> 
> On failing communications the iOS device sends the first ESP message with sequence number 1, but server replies
> ESP with with a wrong ESP sequence number.

Thanks for the debugging work!

The sequence numbers are dealt with in the kernel, so the userland
(whether libreswan or openswan) does not set any of this. However,
perhaps there is a problem with "replacing" an existing connection
and updating the kernel state? Libreswan did fix a few bugs related
to rekeying and replacing connections. Could you try libreswan 3.9rc1
and see if the problem is still there?

Have you seen any udp 4500 (ESPinUDP) packets with an extra 4 zero bytes
by any chance? That is a problem I do sometimes have with iphones on
some LTE networks and I haven't fully figured that problem out yet
either.

> I noticed that many people have a similar issue with iOS, but I couldn't find any proper answer or a way to
> solve this.

Do you have those references? It would be interesting to read. A quick
google search didn't give me anything.

Paul