[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

Paul Wouters paul at nohats.ca
Wed Jul 2 21:19:19 EEST 2014


On Wed, 2 Jul 2014, Ignacio Bermudez wrote:

> Regarding the ESP messages with extra 4 bytes, I don't know the
> answer. The format of ESP according to Wireshark dissector is:
>
> bytes 0-3 (4 bytes): ESP SPI
> bytes 4-7 (4 bytes): ESP Sequence
> rest only encrypted payload

> Probably I forgot to add that the iPhone device is connected behind a
> NAT.

which means you should have UDP 4500 packets with embedded ESP packet.
In the UDP packet, for ESP it uses a "spi" of 00 00 00 00, to indicate
this is really an ESPinUDP and not an IKE UDP 4500 packet. This is where
I sometimes see 8x 00 bytes and a mismatch in the IKE header length
specified in the packet, compared to the packet size.

> Anyways, if you know that ESP sequence number is set by kernel,
> then I would need to patch the kernel. Do you know about any patch
> related with this ESP seq. numbers? However, I have doubts about the
> kernel issue, because when I restart ipsec the ESP number seems to be
> reset and iPhones can connect again.

Restarting clears out any state, so it can still be the kernel....

I suspect this is related to replacing existing connections, when you
iphone reconnects. Possibly due to the NAT tracking.

> I would consider to try Libreswan 3.9rc1, but I prefer to stick with
> packages coming from Ubuntu official repository as much as possible.

well, openswan packages are pretty unmaintained for the last few years
to the point where the last two security releases for openswan came
via me (and I haven't contributed to openswan directly since late 2011)

We are still looking for a debian/ubuntu maintainer willing to put
libreswan through the packaging process. The debian/ directory already
exists in the source and has been tested to build properly for various
people.

testing with libreswan would still be useful for us to know better
where to look. Even if you then roll back to openswan for your own
reasons.

Paul


More information about the Swan mailing list