[Swan] ESP wrong sequence with iOS, L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1
Ignacio Bermudez
ignaciobermudez at gmail.com
Mon Jul 7 20:31:06 EEST 2014
The problem has been fixed after Libreswan 3.8 Libreswan installation
available on Github.
I had some compatibility issues with the configurations that made
Libreswan to crash from segmentation fault errors, but once removed it
worked perfectly.
On Wed, Jul 2, 2014 at 12:41 PM, Ignacio Bermudez
<ignaciobermudez at gmail.com> wrote:
> Yes, you are right. This is ESP over UDP. Let me try then Libreswan
> and see if it gets solved or not.
>
> On Wed, Jul 2, 2014 at 11:19 AM, Paul Wouters <paul at nohats.ca> wrote:
>> On Wed, 2 Jul 2014, Ignacio Bermudez wrote:
>>
>>> Regarding the ESP messages with extra 4 bytes, I don't know the
>>> answer. The format of ESP according to Wireshark dissector is:
>>>
>>> bytes 0-3 (4 bytes): ESP SPI
>>> bytes 4-7 (4 bytes): ESP Sequence
>>> rest only encrypted payload
>>
>>
>>> Probably I forgot to add that the iPhone device is connected behind a
>>> NAT.
>>
>>
>> which means you should have UDP 4500 packets with embedded ESP packet.
>> In the UDP packet, for ESP it uses a "spi" of 00 00 00 00, to indicate
>> this is really an ESPinUDP and not an IKE UDP 4500 packet. This is where
>> I sometimes see 8x 00 bytes and a mismatch in the IKE header length
>> specified in the packet, compared to the packet size.
>>
>>
>>> Anyways, if you know that ESP sequence number is set by kernel,
>>> then I would need to patch the kernel. Do you know about any patch
>>> related with this ESP seq. numbers? However, I have doubts about the
>>> kernel issue, because when I restart ipsec the ESP number seems to be
>>> reset and iPhones can connect again.
>>
>>
>> Restarting clears out any state, so it can still be the kernel....
>>
>> I suspect this is related to replacing existing connections, when you
>> iphone reconnects. Possibly due to the NAT tracking.
>>
>>
>>> I would consider to try Libreswan 3.9rc1, but I prefer to stick with
>>> packages coming from Ubuntu official repository as much as possible.
>>
>>
>> well, openswan packages are pretty unmaintained for the last few years
>> to the point where the last two security releases for openswan came
>> via me (and I haven't contributed to openswan directly since late 2011)
>>
>> We are still looking for a debian/ubuntu maintainer willing to put
>> libreswan through the packaging process. The debian/ directory already
>> exists in the source and has been tested to build properly for various
>> people.
>>
>> testing with libreswan would still be useful for us to know better
>> where to look. Even if you then roll back to openswan for your own
>> reasons.
>>
>> Paul
>
>
>
> --
> ~~~~~~~~~~~~~~~
> Ignacio Bermudez.
> Linux User #414540
> ~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~
Ignacio Bermudez.
Linux User #414540
~~~~~~~~~~~~~~~
More information about the Swan
mailing list