[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1

Ignacio Bermudez ignaciobermudez at gmail.com
Wed Jul 2 22:41:34 EEST 2014 

Yes, you are right. This is ESP over UDP. Let me try then Libreswan
and see if it gets solved or not.

On Wed, Jul 2, 2014 at 11:19 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 2 Jul 2014, Ignacio Bermudez wrote:
>
>> Regarding the ESP messages with extra 4 bytes, I don't know the
>> answer. The format of ESP according to Wireshark dissector is:
>>
>> bytes 0-3 (4 bytes): ESP SPI
>> bytes 4-7 (4 bytes): ESP Sequence
>> rest only encrypted payload
>
>
>> Probably I forgot to add that the iPhone device is connected behind a
>> NAT.
>
>
> which means you should have UDP 4500 packets with embedded ESP packet.
> In the UDP packet, for ESP it uses a "spi" of 00 00 00 00, to indicate
> this is really an ESPinUDP and not an IKE UDP 4500 packet. This is where
> I sometimes see 8x 00 bytes and a mismatch in the IKE header length
> specified in the packet, compared to the packet size.
>
>
>> Anyways, if you know that ESP sequence number is set by kernel,
>> then I would need to patch the kernel. Do you know about any patch
>> related with this ESP seq. numbers? However, I have doubts about the
>> kernel issue, because when I restart ipsec the ESP number seems to be
>> reset and iPhones can connect again.
>
>
> Restarting clears out any state, so it can still be the kernel....
>
> I suspect this is related to replacing existing connections, when you
> iphone reconnects. Possibly due to the NAT tracking.
>
>
>> I would consider to try Libreswan 3.9rc1, but I prefer to stick with
>> packages coming from Ubuntu official repository as much as possible.
>
>
> well, openswan packages are pretty unmaintained for the last few years
> to the point where the last two security releases for openswan came
> via me (and I haven't contributed to openswan directly since late 2011)
>
> We are still looking for a debian/ubuntu maintainer willing to put
> libreswan through the packaging process. The debian/ directory already
> exists in the source and has been tested to build properly for various
> people.
>
> testing with libreswan would still be useful for us to know better
> where to look. Even if you then roll back to openswan for your own
> reasons.
>
> Paul



-- 
~~~~~~~~~~~~~~~
Ignacio Bermudez.
Linux User #414540
~~~~~~~~~~~~~~~

More information about the Swan mailing list