<div dir="ltr"><div><div><div><div><div>Hi,<br><br></div>I did setup Openswan following tutorial <a href="https://help.ubuntu.com/community/L2TPServer" target="_blank">https://help.ubuntu.com/community/L2TPServer</a>. This configuration already includes Dead Peer Detection for iOS by adding these 3 lines:<br>
<pre> # Apple iOS doesn't send delete notify so we need dead peer detection
<span class="" id="line-19"></span> # to detect vanishing clients
<span class="" id="line-20"></span> dpddelay=30
<span class="" id="line-21"></span> dpdtimeout=120
<span class="" id="line-22"></span> dpdaction=clear<br><br></pre></div>It works well for Android devices and laptops connecting to VPN, but for iOS works weird.<br>
</div>Sometimes I can disconnect and reconnect several times, but at some point it's impossible and the VPN needs to be restarted.<br><br></div>I did some debugging on the Auth.log and all connections reach the point<br>
<br></div><div>[auth.log]<br></div><div>transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br><br>STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0c2270ad <0xba26054a xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=X.Y.Z.W:63445 DPD=enabled}<br>
</div><div>[/auth.log]<br><br></div><div>Even connections coming from iOS devices reach to that point.<br><br></div><div>The problem:<br>-------------------<br><br></div><div>I collected traffic and analyzed using Wireshark to understand the problem. At the beginning there is an exchange of keys through ISAKMP, after that there is encrypted communication between VPN server and device.<br>
<br></div><div>On successful communications I noticed that the device sends the first ESP message with Sequence number 1. Then the VPN server will communicate also with this sequence number.<br><br><br></div><div>On failing communications the iOS device sends the first ESP message with sequence number 1, but server replies ESP with with a wrong ESP sequence number. As response to the wrong sequence number, the device replies ICMP destination unreachable (port unreachable) messages back to the server. The payload of ICMP messages are the "corrupted" ESP messages coming from server.<br>
</div><div>The server does not update the sequence number and after some tries the iOS device sends Delete SA payload to server and closes communication.<br></div><div>On the other side iOS displays that the server in not reachable or it's not up.<br>
</div><div><br><br></div><div>---------------------<br><br></div><div>I noticed that many people have a similar issue with iOS, but I couldn't find any proper answer or a way to solve this.<br><br></div><div>Is this a normal behavior of the VPN server? If it is, is there any possible way to patch the server or set the right configuration in order to reply with the sequence numbers required by iOS devices?<br>
<br></div><div><br></div><div>Thank you!<br></div><div>Ignacio.<br></div></div>