The problem has been fixed after Libreswan 3.8 Libreswan installation available on Github. I had some compatibility issues with the configurations that made Libreswan to crash from segmentation fault errors, but once removed it worked perfectly.
On Wed, Jul 2, 2014 at 12:41 PM, Ignacio Bermudez <[email protected]> wrote: > Yes, you are right. This is ESP over UDP. Let me try then Libreswan > and see if it gets solved or not. > > On Wed, Jul 2, 2014 at 11:19 AM, Paul Wouters <[email protected]> wrote: >> On Wed, 2 Jul 2014, Ignacio Bermudez wrote: >> >>> Regarding the ESP messages with extra 4 bytes, I don't know the >>> answer. The format of ESP according to Wireshark dissector is: >>> >>> bytes 0-3 (4 bytes): ESP SPI >>> bytes 4-7 (4 bytes): ESP Sequence >>> rest only encrypted payload >> >> >>> Probably I forgot to add that the iPhone device is connected behind a >>> NAT. >> >> >> which means you should have UDP 4500 packets with embedded ESP packet. >> In the UDP packet, for ESP it uses a "spi" of 00 00 00 00, to indicate >> this is really an ESPinUDP and not an IKE UDP 4500 packet. This is where >> I sometimes see 8x 00 bytes and a mismatch in the IKE header length >> specified in the packet, compared to the packet size. >> >> >>> Anyways, if you know that ESP sequence number is set by kernel, >>> then I would need to patch the kernel. Do you know about any patch >>> related with this ESP seq. numbers? However, I have doubts about the >>> kernel issue, because when I restart ipsec the ESP number seems to be >>> reset and iPhones can connect again. >> >> >> Restarting clears out any state, so it can still be the kernel.... >> >> I suspect this is related to replacing existing connections, when you >> iphone reconnects. Possibly due to the NAT tracking. >> >> >>> I would consider to try Libreswan 3.9rc1, but I prefer to stick with >>> packages coming from Ubuntu official repository as much as possible. >> >> >> well, openswan packages are pretty unmaintained for the last few years >> to the point where the last two security releases for openswan came >> via me (and I haven't contributed to openswan directly since late 2011) >> >> We are still looking for a debian/ubuntu maintainer willing to put >> libreswan through the packaging process. The debian/ directory already >> exists in the source and has been tested to build properly for various >> people. >> >> testing with libreswan would still be useful for us to know better >> where to look. Even if you then roll back to openswan for your own >> reasons. >> >> Paul > > > > -- > ~~~~~~~~~~~~~~~ > Ignacio Bermudez. > Linux User #414540 > ~~~~~~~~~~~~~~~ -- ~~~~~~~~~~~~~~~ Ignacio Bermudez. Linux User #414540 ~~~~~~~~~~~~~~~ _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
