iPhone ××× DPD 抓包实验

1.Topology: client ----------------- ×××10.32.145.67 10.230.48.352.Packets captured:(Open the screen

.

1.Topology:

     client      -----------------   ×××

10.32.145.67                      10.230.48.35

2.Packets captured:

(Open the screen, click the ××× button on iPhone):
[root@××× ~]# tcpdump -ni any host 10.32.145.67
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes

(This is the negotiation start, the first 4 packets of IKE phase 1)
09:49:48.503938 IP 10.32.145.67.isakmp > 10.230.48.35.isakmp: isakmp: phase 1 I ident
09:49:48.506177 IP 10.230.48.35.isakmp > 10.32.145.67.isakmp: isakmp: phase 1 R ident
09:49:49.023063 IP 10.32.145.67.isakmp > 10.230.48.35.isakmp: isakmp: phase 1 I ident
09:49:49.035208 IP 10.230.48.35.isakmp > 10.32.145.67.isakmp: isakmp: phase 1 R ident

(This is started for last 2 packets of IKE phase 1)
09:49:49.860900 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
09:49:49.864025 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 1 R ident[E]

(These are 3 packets of IKE phase 2:Mode Config)
09:49:49.865134 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R #6[E]
09:49:49.893119 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I #6[E]
09:49:49.894782 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R #6[E]

(These are 3 packets of IKE phase 2:Quick Mode)
09:49:49.947532 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
09:49:49.948709 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
09:49:49.954630 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

(Below are the real ××× traffic, omitted much)
09:49:50.177704 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: UDP-encap: ESP(spi=0xca636111,seq=0x1), length 100
09:49:50.197372 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: UDP-encap: ESP(spi=0xca636111,seq=0x3), length 100
09:49:50.379771 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: UDP-encap: ESP(spi=0x067edcc0,seq=0x1), length 308


(Please note this below traffic, here the iPhone(10.32.148.37) don't send packets any more, the server give 4 packets to iPhone but received no reply)

09:50:09.492910 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: UDP-encap: ESP(spi=0x067edcc0,seq=0x52), length 84
09:50:09.492943 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: UDP-encap: ESP(spi=0x067edcc0,seq=0x53), length 84
09:50:09.498203 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: UDP-encap: ESP(spi=0x067edcc0,seq=0x54), length 84
09:50:09.498231 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: UDP-encap: ESP(spi=0x067edcc0,seq=0x55), length 84

(Then, the DPD is triggered at 5 seconds after the last packet above, the encapsulation is "NONESP-encap". DPD packet sent every 5 secends)

09:50:13.061739 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:50:13.140112 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]


(Omitted output)

09:54:53.935025 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:54:53.029252 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]

09:54:58.037997 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:54:58.123829 IP 10.32.145.67.ipsec-nat-t > 10.230.48.35.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]


(5 minutes later, the iPhone fall asleep automatically, so there is no reply packet to ××× any more, but the ××× doesn't continue the DPD detection until the max-retry times(3) is reached, 15 secondes )

09:55:03.134109 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:55:08.142956 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:55:13.151265 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]

(At last, ××× send 3 packets at the same time in a breath, no responde yet. As the ipsec.conf in ××× is configured "dpdaction=clear", the connection will be removed.)

09:55:18.159358 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:55:18.160847 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
09:55:18.179615 IP 10.230.48.35.ipsec-nat-t > 10.32.145.67.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]



 

.