[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

Ignacio Bermudez ignaciobermudez at gmail.com
Wed Jul 2 21:02:06 EEST 2014 

Yes, I'm using openswan2.6.37-1 installed using apt-get on Ubuntu.

I guess I'm facing symptoms as
https://lists.openswan.org/pipermail/users/2012-December/022043.html
and http://blog.gmane.org/gmane.network.openswan.user/month=20121201,
but as nobody have analyzed the packet traces it's difficult to say
whether it is the same problem or not.

Regarding the ESP messages with extra 4 bytes, I don't know the
answer. The format of ESP according to Wireshark dissector is:

bytes 0-3 (4 bytes): ESP SPI
bytes 4-7 (4 bytes): ESP Sequence
rest only encrypted payload

Last 4 bytes are random and never zero bytes.

Probably I forgot to add that the iPhone device is connected behind a
NAT. Anyways, if you know that ESP sequence number is set by kernel,
then I would need to patch the kernel. Do you know about any patch
related with this ESP seq. numbers? However, I have doubts about the
kernel issue, because when I restart ipsec the ESP number seems to be
reset and iPhones can connect again.

I would consider to try Libreswan 3.9rc1, but I prefer to stick with
packages coming from Ubuntu official repository as much as possible.


On Mon, Jun 30, 2014 at 6:00 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 30 Jun 2014, Ignacio Bermudez wrote:
>
>> Subject: [Swan] ESP wrong sequence with iOS,
>>     L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1
>
>
> So I think you are using openswan, but let me know if you are not.
>
>
>> On successful communications I noticed that the device sends the first ESP
>> message with Sequence number 1. Then
>> the VPN server will communicate also with this sequence number.
>>
>> On failing communications the iOS device sends the first ESP message with
>> sequence number 1, but server replies
>> ESP with with a wrong ESP sequence number.
>
>
> Thanks for the debugging work!
>
> The sequence numbers are dealt with in the kernel, so the userland
> (whether libreswan or openswan) does not set any of this. However,
> perhaps there is a problem with "replacing" an existing connection
> and updating the kernel state? Libreswan did fix a few bugs related
> to rekeying and replacing connections. Could you try libreswan 3.9rc1
> and see if the problem is still there?
>
> Have you seen any udp 4500 (ESPinUDP) packets with an extra 4 zero bytes
> by any chance? That is a problem I do sometimes have with iphones on
> some LTE networks and I haven't fully figured that problem out yet
> either.
>
>
>> I noticed that many people have a similar issue with iOS, but I couldn't
>> find any proper answer or a way to
>> solve this.
>
>
> Do you have those references? It would be interesting to read. A quick
> google search didn't give me anything.
>
> Paul



-- 
~~~~~~~~~~~~~~~
Ignacio Bermudez.
Linux User #414540
~~~~~~~~~~~~~~~

More information about the Swan mailing list