Yes, I'm using openswan2.6.37-1 installed using apt-get on Ubuntu. I guess I'm facing symptoms as https://lists.openswan.org/pipermail/users/2012-December/022043.html and http://blog.gmane.org/gmane.network.openswan.user/month=20121201, but as nobody have analyzed the packet traces it's difficult to say whether it is the same problem or not.
Regarding the ESP messages with extra 4 bytes, I don't know the answer. The format of ESP according to Wireshark dissector is: bytes 0-3 (4 bytes): ESP SPI bytes 4-7 (4 bytes): ESP Sequence rest only encrypted payload Last 4 bytes are random and never zero bytes. Probably I forgot to add that the iPhone device is connected behind a NAT. Anyways, if you know that ESP sequence number is set by kernel, then I would need to patch the kernel. Do you know about any patch related with this ESP seq. numbers? However, I have doubts about the kernel issue, because when I restart ipsec the ESP number seems to be reset and iPhones can connect again. I would consider to try Libreswan 3.9rc1, but I prefer to stick with packages coming from Ubuntu official repository as much as possible. On Mon, Jun 30, 2014 at 6:00 PM, Paul Wouters <[email protected]> wrote: > On Mon, 30 Jun 2014, Ignacio Bermudez wrote: > >> Subject: [Swan] ESP wrong sequence with iOS, >> L2P/IPSEC configuration in Ubuntu/Openswan2.6.37-1 > > > So I think you are using openswan, but let me know if you are not. > > >> On successful communications I noticed that the device sends the first ESP >> message with Sequence number 1. Then >> the VPN server will communicate also with this sequence number. >> >> On failing communications the iOS device sends the first ESP message with >> sequence number 1, but server replies >> ESP with with a wrong ESP sequence number. > > > Thanks for the debugging work! > > The sequence numbers are dealt with in the kernel, so the userland > (whether libreswan or openswan) does not set any of this. However, > perhaps there is a problem with "replacing" an existing connection > and updating the kernel state? Libreswan did fix a few bugs related > to rekeying and replacing connections. Could you try libreswan 3.9rc1 > and see if the problem is still there? > > Have you seen any udp 4500 (ESPinUDP) packets with an extra 4 zero bytes > by any chance? That is a problem I do sometimes have with iphones on > some LTE networks and I haven't fully figured that problem out yet > either. > > >> I noticed that many people have a similar issue with iOS, but I couldn't >> find any proper answer or a way to >> solve this. > > > Do you have those references? It would be interesting to read. A quick > google search didn't give me anything. > > Paul -- ~~~~~~~~~~~~~~~ Ignacio Bermudez. Linux User #414540 ~~~~~~~~~~~~~~~ _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
