Bug #1239
Updated by Tobias Brunner almost 5 years ago
Hi everyone:
I use a smartphone(Andriod 5.0.2) as a client to create a L2TPoverIPsec VPN with a server(using strongswan5.3.3)。
The ipsec.conf is like this:
<pre>
config @config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
aggressive=yes
conn net-net
type=transport
left=192.168.0.132
leftsubnet=0.0.0.0/0
#leftid=@sun
leftid=@#313233
leftfirewall=yes
right=192.168.0.124
rightsubnet=0.0.0.0/0
#rightid=@moon
#rightid=192.168.0.124
rightid=@#313233
auto=add
</pre> @
On the phone,I created a L2tpOverIPsec VPN.The IPsec identity is "123"。
When I use dialed the VPN,I found the phone use Aggressive-Mode. Strongswan replied the second message,
and the phone never sent the third message.
<pre>
phone<initiator> --------------------- strongswan<responder>
first message ---->
<----- second message
third messge X
</pre>
I checked the phone's log :
<pre>
E/racoon (16015): ignore the packet, received unexpecting payload type 20.
</pre>
Type 20 is NAT-D.
In the message.c,the payloads order is like this:
<pre>
[ SA KE No ID NAT-D NAT-D HASH V V V]
</pre>
But in RFC3947 , the order like this:
<pre>
Initiator Responder
------------ ------------
UDP(500,500) HDR, SA, KE,
Ni, IDii, VID -->
<-- UDP(500,X) HDR, SA, KE,
Nr, IDir, [CERT, ],
VID, NAT-D, NAT-D,
SIG_R
</pre>
When I modifed the order in message.c, and dailed again,the IKE_SA was established.
The new order: @[ [ SA KE No ID V V V NAT-D NAT-D HASH ]@ ]
So please check the aggressive_r_order in message.c if this is a bug.
Thanks.
I use a smartphone(Andriod 5.0.2) as a client to create a L2TPoverIPsec VPN with a server(using strongswan5.3.3)。
The ipsec.conf is like this:
<pre>
config @config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
aggressive=yes
conn net-net
type=transport
left=192.168.0.132
leftsubnet=0.0.0.0/0
#leftid=@sun
leftid=@#313233
leftfirewall=yes
right=192.168.0.124
rightsubnet=0.0.0.0/0
#rightid=@moon
#rightid=192.168.0.124
rightid=@#313233
auto=add
</pre> @
On the phone,I created a L2tpOverIPsec VPN.The IPsec identity is "123"。
When I use dialed the VPN,I found the phone use Aggressive-Mode. Strongswan replied the second message,
and the phone never sent the third message.
<pre>
phone<initiator> --------------------- strongswan<responder>
first message ---->
<----- second message
third messge X
</pre>
I checked the phone's log :
<pre>
E/racoon (16015): ignore the packet, received unexpecting payload type 20.
</pre>
Type 20 is NAT-D.
In the message.c,the payloads order is like this:
<pre>
[ SA KE No ID NAT-D NAT-D HASH V V V]
</pre>
But in RFC3947 , the order like this:
<pre>
Initiator Responder
------------ ------------
UDP(500,500) HDR, SA, KE,
Ni, IDii, VID -->
<-- UDP(500,X) HDR, SA, KE,
Nr, IDir, [CERT, ],
VID, NAT-D, NAT-D,
SIG_R
</pre>
When I modifed the order in message.c, and dailed again,the IKE_SA was established.
The new order: @[ [ SA KE No ID V V V NAT-D NAT-D HASH ]@ ]
So please check the aggressive_r_order in message.c if this is a bug.
Thanks.