On Thu, 24 Jul 2014, Wolfgang Nothdurft wrote:
I have actual a problem with one provider, an ipad, xauth and IKE frag.
Unfortunately the umts provider seems to drop the certificate sent by
libreswan as reply to the client certificate which was sent properly without
ike fragmentation.
see attached log.
The problem is now that libreswan already changed to the state STATE_XAUTH_R0
and can't handle a retransmit on duplicate.
Sure, the simple way is to set ike-frag=force, but I would like libreswan to
do it automatically.
I've tried different ways to modify the code to change the state back to
MAIN_R3, but without success.
Is the actual behaviour a bug or is it impossible to switch back from
XAUTH_R0 to MAIN_R3 to resend the certificate?
Am I correct in that you are asking that if we are in STATE_XAUTH_R0 and
we are receiving a duplicate, we should attempt to go back to MAIN_R3
and retry sending our previous packet in fragments (if ike_frag= is not
"no")
Just going back to MAIN_R3 would not help.
I wonder if we need a state-independant fallback mechanism where we can
change a "retransmit" into a "fragment-then-retransmit" without
flipflopping the state?
Although this will be harder to do in the IKEv2 draft for fragmentation.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
