Project

General

Profile

Bug #1239

Updated by Tobias Brunner almost 5 years ago

Hi everyone:
I use a smartphone(Andriod 5.0.2) as a client to create a L2TPoverIPsec VPN with a server(using strongswan5.3.3)。
The ipsec.conf is like this:
<pre>
config
@config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
aggressive=yes

conn net-net
type=transport
left=192.168.0.132
leftsubnet=0.0.0.0/0
#leftid=@sun
leftid=@#313233
leftfirewall=yes
right=192.168.0.124
rightsubnet=0.0.0.0/0
#rightid=@moon
#rightid=192.168.0.124
rightid=@#313233
auto=add
</pre> @

On the phone,I created a L2tpOverIPsec VPN.The IPsec identity is "123"。
When I use dialed the VPN,I found the phone use Aggressive-Mode. Strongswan replied the second message,
and the phone never sent the third message.
<pre>


phone<initiator> --------------------- strongswan<responder>
first message ---->
<----- second message
third messge X
</pre>


I checked the phone's log :
<pre>
E/racoon (16015): ignore the packet, received unexpecting payload type 20.
</pre>
Type 20 is NAT-D.
In the message.c,the payloads order is like this:
<pre>

[ SA KE No ID NAT-D NAT-D HASH V V V]
</pre>
But in RFC3947 , the order like this:
<pre>

Initiator Responder
------------ ------------
UDP(500,500) HDR, SA, KE,
Ni, IDii, VID -->
<-- UDP(500,X) HDR, SA, KE,
Nr, IDir, [CERT, ],
VID, NAT-D, NAT-D,
SIG_R
</pre>


When I modifed the order in message.c, and dailed again,the IKE_SA was established.
The new order: @[ [ SA KE No ID V V V NAT-D NAT-D HASH ]@ ]
So please check the aggressive_r_order in message.c if this is a bug.

Thanks.

Back