[Openswan dev] [IPsec] iOSX 5.x and IOX Lion's use of UDP_ENCAP problem (fwd)

Paul Wouters paul at nohats.ca
Thu Feb 16 10:31:34 EST 2012 


---------- Forwarded message ----------
Date: Thu, 16 Feb 2012 09:49:32
From: Yoav Nir <ynir at checkpoint.com>
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, Tero Kivinen <kivinen at iki.fi>
To: Paul Wouters <pwouters at redhat.com>
Subject: Re: [IPsec] iOSX 5.x and IOX Lion's use of UDP_ENCAP problem
X-Spam-Flag: NO


On Feb 16, 2012, at 4:43 PM, Paul Wouters wrote:

> On Thu, 16 Feb 2012, Yoav Nir wrote:
>
>>> Are you really telling me they are using a private numbers from the
>>> internet draft that expired more than 10 years ago, and which is not
>>> compatible with the RFC3947 (which (which was published January 2005,
>>> i.e. 7 years ago).
>>
>> They don't always do that. But looking at their MainMode packet 1 in wireshark, They send the following VIDs:
>> - RFC 3947 Negotiation of the NAT-Traversal in the IKE
>> - draft-ietf-ipsec-nat-t-ike
>> - draft-ietf-ipsec-nat-t-ike-08
>> - draft-ietf-ipsec-nat-t-ike-07
>> - draft-ietf-ipsec-nat-t-ike-06
>> - draft-ietf-ipsec-nat-t-ike-05
>> - draft-ietf-ipsec-nat-t-ike-04
>> - draft-ietf-ipsec-nat-t-ike-03
>> - draft-ietf-ipsec-nat-t-ike-02
>> - draft-ietf-ipsec-nat-t-ike-02\n
>> - RFC 3706 DPD (Dead Peer Detection)
>>
>> I guess what they later do depends on what VID they get in the reply. There were quite a few versions of Windows server that returned 90cb80…427b1f (draft-ietf-ipsec-nat-t-ike-02\n), so maybe Paul's implementation was a surprise for iOS.
>
> I'll make sure this is not an implementation issue on our side.
>
> Did any large deployment switch to removing all the draft VIDs? If so,
> how many problems did that cause? I'd be happy to remove the ancient
> drat cruft, especially if it increases interoperability.

Our implementation supports the RFC and "draft-02\n", which is what Microsoft clients added in some service pack of XP.  We reply according to the last recognized NAT-T VID, which in this case is the draft-02\n one.

When we do this, we don't get any weird encapsulation modes like you do.  Do you reply with the RFC one?

Yoav

_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

More information about the Dev mailing list