[strongSwan-dev] Responder generates TS_UNACCEPTABLE, if initiator is behind NAT (transport mode + IKEv2)
Ansis Atteka
aatteka at nicira.com
Thu Dec 5 02:20:32 CET 2013
I am using strongSwan from the master branch with the following
ipsec.conf file on both hosts:
config setup
uniqueids=no
conn %default
type=transport
keyexchange=ikev2
auto=start
conn remote-<peer>
left=0.0.0.0/0
leftcert=/etc/openvswitch/client-cert.pem
leftsubnet=0.0.0.0/0
right=<peer>
rightcert=/etc/ipsec.d/certs/ovs-<peer>.pem
If responder is behind NAT, then tunnel gets established. However, if
initiator is behind NAT, then responder rejects tunnel request with
TS_UNACCEPTABLE (with exactly the same configuration). Here is the log
file:
Dec 4 13:34:59 ubuntu charon: 16[NET] received packet: from
<initiator_public_ip>1031] to <responder>[4500] (348 bytes)
Dec 4 13:34:59 ubuntu charon: 16[ENC] parsed CREATE_CHILD_SA request
3 [ N(USE_TRANSP) SA No TSi TSr ]
Dec 4 13:34:59 ubuntu charon: 16[CFG] looking for a child config for
<responder>/32 === 0.0.0.0/0
Dec 4 13:34:59 ubuntu charon: 16[CFG] proposing traffic selectors for us:
Dec 4 13:34:59 ubuntu charon: 16[CFG] 0.0.0.0/0
Dec 4 13:34:59 ubuntu charon: 16[CFG] proposing traffic selectors for other:
Dec 4 13:34:59 ubuntu charon: 16[CFG] <initiator_public_ip>/32
Dec 4 13:34:59 ubuntu charon: 16[CFG] candidate
"remote-<initiator_public_ip>" with prio 1+1
Dec 4 13:34:59 ubuntu charon: 16[CFG] found matching child config
"remote-<initiator_public_ip>" with prio 2
Dec 4 13:34:59 ubuntu charon: 16[CFG] selecting proposal:
Dec 4 13:34:59 ubuntu charon: 16[CFG] proposal matches
Dec 4 13:34:59 ubuntu charon: 16[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Dec 4 13:34:59 ubuntu charon: 16[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Dec 4 13:34:59 ubuntu charon: 16[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 4 13:34:59 ubuntu charon: 16[CFG] selecting traffic selectors for us:
Dec 4 13:34:59 ubuntu charon: 16[CFG] config: 0.0.0.0/0, received:
<responder>/32 => match: <responder>/32
Dec 4 13:34:59 ubuntu charon: 16[CFG] selecting traffic selectors for other:
Dec 4 13:34:59 ubuntu charon: 16[IKE] no acceptable traffic selectors found
Dec 4 13:34:59 ubuntu charon: 16[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Dec 4 13:34:59 ubuntu charon: 16[ENC] generating CREATE_CHILD_SA
response 3 [ N(TS_UNACCEPT) ]
Dec 4 13:34:59 ubuntu charon: 16[NET] sending packet: from
<responder>[4500] to <initiator_public_ip>[1031] (76 bytes)
What got my attention is that is_host() always return false in
get_transport_nat_ts() function:
/**
* Substitude any host address with NATed address in traffic selector
*/
static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
bool local, linked_list_t *in)
{
...
host_t *ike, *first = NULL;
u_int8_t mask;
...
enumerator = in->create_enumerator(in);
while (enumerator->enumerate(enumerator, &ts))
{
/* require that all selectors match the first "host" selector */
if (ts->is_host(ts, first)) <--- if first == NULL, then code
inside "if" block will never be executed
{
if (!first)
{
ts->to_subnet(ts, &first, &mask);
}
ts = ts->clone(ts);
ts->set_address(ts, ike);
out->insert_last(out, ts);
}
}
enumerator->destroy(enumerator);
DESTROY_IF(first);
return out;
}
Is this a bug or is my ipsec.conf file missing something?
Best regards,
Ansis
More information about the Dev
mailing list