[Openswan Users] iOS 7 ipsec NAT broken

Curu Wong prinbra at gmail.com
Wed Oct 1 15:34:13 EDT 2014


with Openswan version after 2.6.38, I won't be able to connect my iOS 7
iPad from NAT to the VPN server server(which has public IP), but Android
and Windows works well.

however, if I revert to Openswan from v2.6.41 to  v2.6.37 with the exactly
config files, everything works fine.

error message:
---------------------------------------------------
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [RFC 3947] method set to=115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 115
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
ignoring Vendor ID payload [FRAGMENTATION 80000000]
Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
received Vendor ID payload [Dead Peer Detection]
Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
responding to Main Mode from unknown peer xxx.xxx.xxx.96
Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
switched from "l2tp-ipsec" to "l2tp-ipsec"
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
deleting connection "l2tp-ipsec" instance with peer xxx.xxx.xxx.96
{isakmp=#0/ipsec=#0}
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
new NAT mapping for #1, was xxx.xxx.xxx.96:500, now xxx.xxx.xxx.96:4500
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp1024}
Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
Dead Peer Detection (RFC 3706): enabled
Oct  1 19:21:11 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Oct  1 19:21:14 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
retransmitting in response to duplicate packet; already STATE_MAIN_R3
Oct  1 19:21:18 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
Oct  1 19:21:30 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
discarding duplicate packet -- exhausted retransmission; already
STATE_MAIN_R3
----

Can anyone please help me out ?  I want to keep up the the latest version,
 hate to use the old v 2.6.37
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141002/aacada32/attachment.html>


More information about the Users mailing list