[strongSwan-dev] Error "peer selected invalid traffic selectors"

Paul Stewart pstew at chromium.org
Thu Mar 7 01:40:29 CET 2013 

I have been playing around with connecting strongswan 5.0.2 to a
Cisco 5505 firewall (in this case IKEv1, PSK).  I ended up with
the error "peer selected invalid traffic selectors", which I
tracked down to the tsi of the Cisco peer not returning a port
number in its reply.  Using the patch below, I was able to
accommodate this omission.  Does this seem like a reasonable change,
perhaps behind a configuration flag?

--- strongswan-5.0.2/src/libcharon/sa/ikev1/tasks/quick_mode.c.orig	2013-03-05 23:26:50.764163376 -0800
+++ strongswan-5.0.2/src/libcharon/sa/ikev1/tasks/quick_mode.c	2013-03-06 16:18:39.281869103 -0800
@@ -529,6 +529,45 @@
 	}
 }
 
+static bool lenient_tsi_compare(private_quick_mode_t *this,
+				traffic_selector_t **tsi_p)
+{
+	traffic_selector_t *tsi = *tsi_p;
+	bool ret = tsi->is_contained_in(tsi, this->tsi);
+
+	if (!ret && tsi->get_from_port(tsi) == 0 &&
+            tsi->get_to_port(tsi) == 65535) {
+		/*
+		 * One more chance -- in some installations the
+		 * remote omits the port argument of the proposal.
+		 * While this violates the "is_contained_in" test
+		 * above, it shouldn't be an error.  See if adopting
+		 * our port values works.  If it does, replace the
+		 * caller's traffic selector with this more
+		 * restrictive value.
+		 */
+		traffic_selector_t *test_tsi =
+			traffic_selector_create_from_bytes(
+				tsi->get_protocol(tsi),
+				tsi->get_type(tsi),
+				tsi->get_from_address(tsi),
+				this->tsi->get_from_port(this->tsi),
+				tsi->get_to_address(tsi),
+				this->tsi->get_to_port(this->tsi));
+		ret = test_tsi->is_contained_in(test_tsi, this->tsi);
+		if (ret) {
+			DBG2(DBG_IKE, "Remote TSI (%R) did not specify port "
+			     "numbers.  Using our local settings to form %R.",
+			     tsi, test_tsi, ret);
+			tsi->destroy(tsi);
+			*tsi_p = test_tsi;
+		} else {
+			test_tsi->destroy(test_tsi);
+		}
+	}
+	return ret;
+}
+
 /**
  * Get traffic selectors from received message
  */
@@ -596,7 +635,7 @@
 	{
 		/* check if peer selection is valid */
 		if (!tsr->is_contained_in(tsr, this->tsr) ||
-			!tsi->is_contained_in(tsi, this->tsi))
+			!lenient_tsi_compare(this, &tsi))
 		{
 			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);

More information about the Dev mailing list