Hi,<div><br></div><div> I have configured StrongSwan with IPSEC ESP using AES-GCM256.</div><div> Sent an ICMP echo request in the secured interface with misaligned data.</div><div> IPSec should drop the packet.But it is forwarding the ICMP packet on non-secured interface.</div>
<div> <br><br> My ipsec.conf:<br><br> conn net-net<br> type=tunnel<br> #type=transport<br> ike=3des-sha1-modp1024<br> esp=aes256gcm128-modp2048<br> #esp=3des-sha1<br>
left=10.1.1.10<br> # leftid=10.1.1.10<br> leftsubnet=<a href="http://20.1.1.30/32">20.1.1.30/32</a><br> #leftid=@<a href="http://sun.strongswan.org">sun.strongswan.org</a><br> leftfirewall=yes<br>
right=10.1.1.30<br> # rightid=10.1.1.30<br> rightsubnet=<a href="http://10.1.1.30/32">10.1.1.30/32</a><br> #rightid=@<a href="http://moon.strongswan.org">moon.strongswan.org</a><br> auto=add<br>
authby=secret<br><br><br> Original icmp packet:(Plain text)<br> Ip HDR(src:10.1.1.30,dst:20.1.1.30)(20 bytes)<br> ICMP HDR(8byte)<br> ICMP DATA(44 byte) <br><br> Packet on secured interface: 10.1.1.30->10.1.1.10<br>
<br> Outer IP HDR(dst ip:10.1.1.10,src ip:10.1.1.30)(20 byte)<br> Security Parameter Index = 0xC214E310 (4byte)<br> Sequence Number = 0x00000001 (4byte)<br> IV (8 byte)<br> Cipher text(72 + 2(next header + padlen) + 2(padding) + 1( to make the data misaligned in 4 byte boundary)) (Total 77)<br>
Auth data(16 byte)<br><br><br> Strongswan Ipsec implementation should discard the packet as the Pad Length and Next Header field NOT right aligned within 4-byte word.<br><br> But I received the original icmp packet on the plaintext interface (10.1.1.30->20.1.1.30)<br>
<br> Please let me know the reason.<br><br>Thanks and Regards<br>Sankarshan<br> <br><br><div><br></div><div> <br></div><br><div><br></div><br> <br> <br></div>