[Openswan Users] iOS 7 ipsec NAT broken

Curu Wong prinbra at gmail.com
Wed Oct 1 15:44:35 EDT 2014


Sorry, my current iOS is 8.0.2, not 7.

On Thu, Oct 2, 2014 at 3:34 AM, Curu Wong <prinbra at gmail.com> wrote:

> with Openswan version after 2.6.38, I won't be able to connect my iOS 7
> iPad from NAT to the VPN server server(which has public IP), but Android
> and Windows works well.
>
> however, if I revert to Openswan from v2.6.41 to  v2.6.37 with the exactly
> config files, everything works fine.
>
> error message:
> ---------------------------------------------------
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [RFC 3947] method set to=115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 115
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Oct  1 19:21:07 localhost pluto[20602]: packet from xxx.xxx.xxx.96:500:
> received Vendor ID payload [Dead Peer Detection]
> Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> responding to Main Mode from unknown peer xxx.xxx.xxx.96
> Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Oct  1 19:21:07 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
> NATed
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> Main mode peer ID is ID_IPV4_ADDR: '192.168.1.2'
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[1] xxx.xxx.xxx.96 #1:
> switched from "l2tp-ipsec" to "l2tp-ipsec"
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> deleting connection "l2tp-ipsec" instance with peer xxx.xxx.xxx.96
> {isakmp=#0/ipsec=#0}
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> new NAT mapping for #1, was xxx.xxx.xxx.96:500, now xxx.xxx.xxx.96:4500
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_sha group=modp1024}
> Oct  1 19:21:08 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> Dead Peer Detection (RFC 3706): enabled
> Oct  1 19:21:11 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Oct  1 19:21:14 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Oct  1 19:21:18 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> discarding duplicate packet -- exhausted retransmission; already
> STATE_MAIN_R3
> Oct  1 19:21:30 localhost pluto[20602]: "l2tp-ipsec"[2] xxx.xxx.xxx.96 #1:
> discarding duplicate packet -- exhausted retransmission; already
> STATE_MAIN_R3
> ----
>
> Can anyone please help me out ?  I want to keep up the the latest version,
>  hate to use the old v 2.6.37
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141002/6db323dc/attachment.html>


More information about the Users mailing list