[Openswan dev] [IPsec] iOSX 5.x and IOX Lion's use of UDP_ENCAP problem (fwd)

Paul Wouters paul at nohats.ca
Thu Feb 16 10:31:34 EST 2012

---------- Forwarded message ----------
Date: Thu, 16 Feb 2012 09:49:32
From: Yoav Nir <ynir at checkpoint.com>
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, Tero Kivinen <kivinen at iki.fi>
To: Paul Wouters <pwouters at redhat.com>
Subject: Re: [IPsec] iOSX 5.x and IOX Lion's use of UDP_ENCAP problem
X-Spam-Flag: NO

On Feb 16, 2012, at 4:43 PM, Paul Wouters wrote:

> On Thu, 16 Feb 2012, Yoav Nir wrote:
>>> Are you really telling me they are using a private numbers from the
>>> internet draft that expired more than 10 years ago, and which is not
>>> compatible with the RFC3947 (which (which was published January 2005,
>>> i.e. 7 years ago).
>> They don't always do that. But looking at their MainMode packet 1 in wireshark, They send the following VIDs:
>> - RFC 3947 Negotiation of the NAT-Traversal in the IKE
>> - draft-ietf-ipsec-nat-t-ike
>> - draft-ietf-ipsec-nat-t-ike-08
>> - draft-ietf-ipsec-nat-t-ike-07
>> - draft-ietf-ipsec-nat-t-ike-06
>> - draft-ietf-ipsec-nat-t-ike-05
>> - draft-ietf-ipsec-nat-t-ike-04
>> - draft-ietf-ipsec-nat-t-ike-03
>> - draft-ietf-ipsec-nat-t-ike-02
>> - draft-ietf-ipsec-nat-t-ike-02\n
>> - RFC 3706 DPD (Dead Peer Detection)
>> I guess what they later do depends on what VID they get in the reply. There were quite a few versions of Windows server that returned 90cb80…427b1f (draft-ietf-ipsec-nat-t-ike-02\n), so maybe Paul's implementation was a surprise for iOS.
> I'll make sure this is not an implementation issue on our side.
> Did any large deployment switch to removing all the draft VIDs? If so,
> how many problems did that cause? I'd be happy to remove the ancient
> drat cruft, especially if it increases interoperability.

Our implementation supports the RFC and "draft-02\n", which is what Microsoft clients added in some service pack of XP.  We reply according to the last recognized NAT-T VID, which in this case is the draft-02\n one.

When we do this, we don't get any weird encapsulation modes like you do.  Do you reply with the RFC one?


IPsec mailing list
IPsec at ietf.org

More information about the Dev mailing list