[Swan] OSX Server interop patch, was Re: Connecting to OS X Server
Ali Gangji
ali at neonrain.com
Tue Jan 13 02:48:27 EET 2015
So i stopped ipsec, applied the patch, ran make programs and sudo make
install, and restarted ipsec. I still get the same message about the
unknown value 16777216
On Sun, Jan 11, 2015 at 9:24 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Sun, 11 Jan 2015, Ali Gangji wrote:
>
> Date: Sun, 11 Jan 2015 12:47:04
>> 004 "ner" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY
>> cipher=aes_256 integ=sha group=MODP1024}
>>
>
> So this is good. phase1 is up. Better than your phase1 errors before.
>
> 117 "ner" #2: STATE_QUICK_I1: initiate
>>
>
> starting phase2....
>
> 003 "ner" #2: DOI of ISAKMP Notification Payload has an unknown value:
>> 16777216
>>
>
> So the DOI (Domain of Interpretation) is a 4 octet value. It can either
> contain 0 for ISAKMP or 1 for IPsec.
>
> See: http://www.iana.org/assignments/ipsec-registry/
> ipsec-registry.xhtml#ipsec-registry-19
>
> So 16777216 is pretty wrong. Note that this value in hex is 0x1000000.
> So this makes be believe that the other end screwed up network and host
> order:
>
> $ python
> Python 2.7.5 (default, Nov 3 2014, 14:33:39) [GCC 4.8.3 20140911 (Red Hat
> 4.8.3-7)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>
>> hex(16777216)
>>>>
>>> '0x1000000'
>
>> import socket
>>>> socket.htonl(1)
>>>>
>>> 16777216L
>
> So this looks like an OSX server bug. Please try the attached patch,
>
> Note this will only ignore their bad value on our end. If you reverse
> directions, things might still break if they don't like a real 1 and
> insist on 16777216.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150112/e8a17b42/attachment.html>
More information about the Swan
mailing list