On Fri, 5 Dec 2014, Wolfgang Nothdurft wrote:
[Wolfgang confirmed this still happens with 3.12]
The same connection works from one net without problems, but if trying from
another net, the connection can't be established.
After examine the log, the problem seems to be that the iphone get the xauth
login request before finishing phase one.
Must be related to packet size? I thought telco's did in-order delivery :P
Dec 5 13:10:58 iPad-von-roe racoon[455] <Error>: mode config 6 from
xxx.x.xx.xxx[4500], but ISAKMP-SA 23dc52d8e2241e77:1ce13e6f0962d19e isn't
established.
Dec 5 13:10:58 iPad-von-roe racoon[455] <Notice>: IPSec Phase 1 established
(Initiated by me).
See attached logs from both sides.
A quick and dirty workaround was putting a delay before xauth_send_request.
See attached patch.
I guess ideally, this should be scheduled as a new EVENT .5 seconds in
the future. That way pluto does not mindlessly block. Currently we only
allow 1s precicion, so it would be 1s. And we would need a new state
for this and a state machine entry.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
