[strongSwan] IPAD via NATed firewall doesn't work
kellermann at sk-datentechnik.com
Wed Apr 13 17:07:35 CEST 2011
does this iOS bug also show up when only the server's side is NATed,
or only when both sides are NATed?
Am 12.04.2011 16:53, schrieb Benoit Foucher:
> You'll find more information on this INVALID_HASH_INFORMATION in the
> links I provided earlier on this thread, see at this link:
> Basically, it seems the error is caused by a bug in raccoon OS X/iOS
> implementation. I was able to get passed it by hacking strongSwan's
> code but ran into another issue. I didn't get further time to
> investigate this or report the raccoon issue to Apple...
> Le 12 avr. 2011 à 15:41, Florian Wolters a écrit :
>> Hello Martin,
>> I am currently working on the same problem. The problem seems to ly
>> with strongSwan and the IPad computing hash values on different
>> information. The log of my strongSwan tells me:
>> --- 8< snip ---
>> | received encrypted packet from 188.8.131.52:59786
>> | decrypting 48 bytes using algorithm AES_CBC
>> | decrypted:
>> | 0b 00 00 18 b7 1d 29 01 54 a8 d4 3e 34 83 34 7b
>> | 6e 56 9a d4 ea 41 c4 d8 00 00 00 0c 00 00 00 01
>> | 01 00 00 17 00 00 00 00 00 00 00 00 00 00 00 0c
>> | next IV: 73 7b 61 b4 66 c6 c1 60 dc 0c b0 a0 d4 d2 a9 73
>> | ***parse ISAKMP Hash Payload:
>> | next payload type: ISAKMP_NEXT_N
>> | length: 24
>> | ***parse ISAKMP Notification Payload:
>> | next payload type: ISAKMP_NEXT_NONE
>> | length: 12
>> | DOI: ISAKMP_DOI_IPSEC
>> | protocol ID: 1
>> | SPI size: 0
>> | Notify Message Type: INVALID_HASH_INFORMATION
>> | removing 12 bytes of padding
>> "iPad_psk" 184.108.40.206:59786 #1: ignoring informational payload,
>> type INVALID_HASH_INFORMATION
>> --- 8< snap ---
>> In my configuration both the iPad and the strongSwan Server are
>> NATed. The iPad is one of the first edition but with the latest iOS.
>> So NAT does not seems to cause the problem but instead the
>> calculation of hashes. AFAIK there is no configuration option to
>> change this behavior on strongSwan side.
>> Best regards
>> Von meinem iPad gesendet
>> Am 04.04.2011 um 20:23 schrieb Martin Kellermann
>> <kellermann at sk-datentechnik.com <mailto:kellermann at sk-datentechnik.com>>:
>>> hello andreas,
>>> yes, you are right, but this still doesn't solve the problem. i am
>>> reading some current posts on APPLEs discussion forum
>>> (for ex: http://discussions.apple.com/thread.jspa?threadID=2778039)
>>> maybe this is a general problem with iOS > 4.3 ?
>>> so i'm very interested if anyone has managed to get the iPad 2 (iOS
>>> connect to strongswan with one or both sides being NATed?
>>> or maybe someone has managed to connect to open-/freeSWAN ?
>>> (server is on debian 6)
>>> any help is really appreciated!
>>> thank you
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users