<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div> </div>
<div>I am facing a peculiar issue in Strongswan-4.3.6. I have a connection setup something like:</div>
<div> </div>
<div> Con1 Con2</div>
<div>Node1---------------------DUT-----------------------Node2</div>
<div>77.0.0.1-----------------77.0.0.2--------------------77.0.0.4</div>
<div> </div>
<div>My ipsec configuration on DUT(Device Under Test) is as follows:</div>
<div> </div>
<div># ipsec.conf<br>
# FlexiPlatform: IPsec configuration file<br>
<br>
config setup<br>
charonstart=yes<br>
plutostart=no<br>
uniqueids=no<br>
charondebug="knl 0,enc 0,net 0"<br>
conn %default<br>
auto=route<br>
keyexchange=ikev2<br>
reauth=no<br>
ca r1~v1<br>
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"<br>
conn r1~v1<br>
rekeymargin=70<br>
rekeyfuzz=100%<br>
left=77.0.0.2<br>
right=77.0.0.4<br>
leftsubnet=77.0.0.2/32<br>
rightsubnet=0.0.0.0/32<br>
leftprotoport=17/100<br>
rightprotoport=17/20<br>
authby=rsasig<br>
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"<br>
leftid=77.0.0.2<br>
rightid=%any<br>
ike=aes128-sha1-modp1024!<br>
esp=aes128-sha1!<br>
type=tunnel<br>
ikelifetime=1000s<br>
keylife=700s<br>
mobike=no<br>
auto=route<br>
reauth=no<br>
encapdscp=yes<br>
vrfid=0</div>
<div> </div>
<div>Note that I have no ipsec for Con1. Even so, if Node1 initiates an IKE_SA establishment, DUT obliges it and establishes IKE_SA. </div>
<div>IPSec Conf on Node1 is:</div>
<div> </div>
<div># ipsec.conf<br>
# FlexiPlatform: IPsec configuration file<br>
<br>
config setup<br>
charonstart=yes<br>
plutostart=no<br>
uniqueids=no<br>
charondebug="knl 0,enc 0,net 0"<br>
conn %default<br>
auto=route<br>
keyexchange=ikev2<br>
reauth=no<br>
ca r1~v1<br>
cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"<br>
conn r1~v1<br>
rekeymargin=70<br>
rekeyfuzz=100%<br>
left=77.0.0.1<br>
right=77.0.0.2<br>
leftsubnet=77.0.0.1/32<br>
rightsubnet=0.0.0.0/32<br>
authby=rsasig<br>
leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"<br>
leftid=77.0.0.1<br>
rightid=%any<br>
ike=aes128-sha1-modp1024!<br>
esp=aes128-sha1!<br>
type=tunnel<br>
ikelifetime=1000s<br>
keylife=700s<br>
mobike=no<br>
auto=route<br>
reauth=no<br>
encapdscp=yes<br>
vrfid=0</div>
<div> </div>
<div>IPSec status for Node1(name: EIPU-0) and DUT(name: EIPU-1) are as below:</div>
<div> </div>
<div>[root@EIPU-0(BCN126) /root]</div>
<div># ipsec statusall</div>
<div>Status of IKEv2 charon daemon (strongSwan 4.3.6):</div>
<div> uptime: 6 hours, since Aug 31 09:26:49 2015</div>
<div> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2</div>
<div> loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sqlite attr-sql </div>
<div>Listening IP addresses:</div>
<div> 169.254.64.5</div>
<div> 169.254.0.6</div>
<div> 169.254.0.41</div>
<div> 77.0.0.1</div>
<div> 66.0.0.1</div>
<div>Connections:</div>
<div> r1~v1: 77.0.0.1...77.0.0.2, vpn: (null)</div>
<div> r1~v1: local: [C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>] uses public key authentication</div>
<div> r1~v1: cert: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>"</div>
<div> r1~v1: remote: [(vr*)%any] uses any authentication</div>
<div> r1~v1: child: 77.0.0.1/32 === 0.0.0.0/0 </div>
<div>Routed Connections:</div>
<div> r1~v1{1}: ROUTED, TUNNEL</div>
<div> r1~v1{1}: 77.0.0.1/32 === 0.0.0.0/0 </div>
<div>Security Associations:</div>
<div> r1~v1[5]: ESTABLISHED 77.0.0.1[C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com]...77.0.0.2[C=de"><font color="blue"><u>E=gianluigi.ongaro@nsn.com]...77.0.0.2[C=de</u></font></a>,
ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>]</div>
<div> r1~v1[5]: IKE SPIs: a901f915e60cee17_i* 36facd6ae173128c_r Creation time: 3 minutes ago</div>
<div>, rekeying in 11 minutes</div>
<div> r1~v1[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div>
<div> </div>
<div>[root@EIPU-0(BCN126) /root]</div>
<div># ip xfrm policy</div>
<div>0.0.0.0/0[0] 77.0.0.1/32[0]</div>
<div> upspec 0 dev (none) uid 0</div>
<div> in allow index 0x00000198 priority 3000 share any flags 0x00000000</div>
<div> tmpl-1:</div>
<div> 77.0.0.2 77.0.0.1</div>
<div> esp spi 0(0x00000000) reqid 1 tunnel</div>
<div> level required share any algo-mask:E=32, A=32, C=32</div>
<div> fpid 0x00000014</div>
<div> policy type main</div>
<div>77.0.0.1/32[0] 0.0.0.0/0[0]</div>
<div> upspec 0 dev (none) uid 0</div>
<div> out allow index 0x00000191 priority 2680 share any flags 0x00000000</div>
<div> tmpl-1:</div>
<div> 77.0.0.1 77.0.0.2</div>
<div> esp spi 0(0x00000000) reqid 1 tunnel</div>
<div> level required share any algo-mask:E=32, A=32, C=32</div>
<div> fpid 0x00000013</div>
<div> policy type main</div>
<div> </div>
<div>[root@EIPU-1(BCN126) /root]</div>
<div># ipsec statusall</div>
<div>Status of IKEv2 charon daemon (strongSwan 4.3.6):</div>
<div> uptime: 29 minutes, since Aug 31 15:37:14 2015</div>
<div> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2</div>
<div> loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sqlite attr-sql </div>
<div>Listening IP addresses:</div>
<div> 169.254.64.6</div>
<div> 169.254.0.8</div>
<div> 169.254.0.40</div>
<div> 169.254.0.39</div>
<div> 77.0.0.2</div>
<div> 66.0.0.2</div>
<div>Connections:</div>
<div> r1~v1: 77.0.0.2...77.0.0.4, vpn: (null)</div>
<div> r1~v1: local: [C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>] uses public key authentication</div>
<div> r1~v1: cert: "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>"</div>
<div> r1~v1: remote: [(vr*)%any] uses any authentication</div>
<div> r1~v1: child: 77.0.0.2/32[udp/100] === 0.0.0.0/0[udp/ftp-data] </div>
<div>Routed Connections:</div>
<div> r1~v1{1}: ROUTED, TUNNEL</div>
<div> r1~v1{1}: 77.0.0.2/32[udp/100] === 0.0.0.0/0[udp/ftp-data] </div>
<div>Security Associations:</div>
<div> r1~v1[2]: ESTABLISHED 77.0.0.2[C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com]...77.0.0.1[C=de"><font color="blue"><u>E=gianluigi.ongaro@nsn.com]...77.0.0.1[C=de</u></font></a>,
ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, <a href="mailto:E=gianluigi.ongaro@nsn.com"><font color="blue"><u>E=gianluigi.ongaro@nsn.com</u></font></a>]</div>
<div> r1~v1[2]: IKE SPIs: a901f915e60cee17_i 36facd6ae173128c_r* Creation time: 12 minutes ago</div>
<div>, rekeying in 3 minutes</div>
<div> r1~v1[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div>
<div> </div>
<div>[root@EIPU-1(BCN126) /root]</div>
<div># ip xfrm policy</div>
<div>0.0.0.0/0[20] 77.0.0.2/32[100]</div>
<div> upspec 17 dev (none) uid 0</div>
<div> in allow index 0x00000208 priority 2997 share any flags 0x00000000</div>
<div> tmpl-1:</div>
<div> 77.0.0.4 77.0.0.2</div>
<div> esp spi 0(0x00000000) reqid 1 tunnel</div>
<div> level required share any algo-mask:E=32, A=32, C=32</div>
<div> fpid 0x0000001a</div>
<div> policy type main</div>
<div>77.0.0.2/32[100] 0.0.0.0/0[20]</div>
<div> upspec 17 dev (none) uid 0</div>
<div> out allow index 0x00000201 priority 2677 share any flags 0x00000000</div>
<div> tmpl-1:</div>
<div> 77.0.0.2 77.0.0.4</div>
<div> esp spi 0(0x00000000) reqid 1 tunnel</div>
<div> level required share any algo-mask:E=32, A=32, C=32</div>
<div> fpid 0x00000019</div>
<div> policy type main</div>
<div> </div>
<div> </div>
<div> </div>
<div>The root CA for Node1, DUT and Node2 are the same. Node1 has a valid certificate.</div>
<div> </div>
<div>My suspicion is that “right” field in the ipsec.conf is never checked while establishing a connection. And since rightid=%any, IKE_SA is getting established. If I change rightid to specific IP address on the DUT, IKE_SA authentication fails and connection
is not established. </div>
<div> </div>
<div>Is this a bug in strongswan-4.3.6? This seems to be fixed in higher versions.</div>
<div> </div>
<div>Regards</div>
<div>Suhas</div>
<div> </div>
</span></font>
</body>
</html>