Yes, you are right. This is ESP over UDP. Let me try then Libreswan and see if it gets solved or not.
On Wed, Jul 2, 2014 at 11:19 AM, Paul Wouters <[email protected]> wrote: > On Wed, 2 Jul 2014, Ignacio Bermudez wrote: > >> Regarding the ESP messages with extra 4 bytes, I don't know the >> answer. The format of ESP according to Wireshark dissector is: >> >> bytes 0-3 (4 bytes): ESP SPI >> bytes 4-7 (4 bytes): ESP Sequence >> rest only encrypted payload > > >> Probably I forgot to add that the iPhone device is connected behind a >> NAT. > > > which means you should have UDP 4500 packets with embedded ESP packet. > In the UDP packet, for ESP it uses a "spi" of 00 00 00 00, to indicate > this is really an ESPinUDP and not an IKE UDP 4500 packet. This is where > I sometimes see 8x 00 bytes and a mismatch in the IKE header length > specified in the packet, compared to the packet size. > > >> Anyways, if you know that ESP sequence number is set by kernel, >> then I would need to patch the kernel. Do you know about any patch >> related with this ESP seq. numbers? However, I have doubts about the >> kernel issue, because when I restart ipsec the ESP number seems to be >> reset and iPhones can connect again. > > > Restarting clears out any state, so it can still be the kernel.... > > I suspect this is related to replacing existing connections, when you > iphone reconnects. Possibly due to the NAT tracking. > > >> I would consider to try Libreswan 3.9rc1, but I prefer to stick with >> packages coming from Ubuntu official repository as much as possible. > > > well, openswan packages are pretty unmaintained for the last few years > to the point where the last two security releases for openswan came > via me (and I haven't contributed to openswan directly since late 2011) > > We are still looking for a debian/ubuntu maintainer willing to put > libreswan through the packaging process. The debian/ directory already > exists in the source and has been tested to build properly for various > people. > > testing with libreswan would still be useful for us to know better > where to look. Even if you then roll back to openswan for your own > reasons. > > Paul -- ~~~~~~~~~~~~~~~ Ignacio Bermudez. Linux User #414540 ~~~~~~~~~~~~~~~ _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
