[strongSwan] SeGW-initiated rekey fails - DH group unacceptable
Graham Hudspith
graham.hudspith at gmail.com
Wed Dec 1 11:44:45 CET 2010
Hi All,
Up till recently, we have been setting up tunnels between client and server
using DH Group 2 (aka MODP_1024). We are starting to transition over to DH
Group 14 (aka MODP_2048) and are coming up against problems. I'm hoping
someone can please shed some light ?
The clients are using a hacked version of strongSwan 4.3.6, the server a
hacked version of strongSwan 4.3.2. We want to support a mixed set of
clients, some using 1024-bit DH and the rest using 2048-bit DH.
The initial tunnels come up fine.
If we set the clients to perform periodic rekeying, everything stays fine.
However, those clients that do NOT perform periodic rekeying are kicking
back when the server eventually lifetime rekeys.
So, when the client sets up the tunnel, it sets:
ike=aes-sha-modp1024!
esp=aes-sha1-modp1024,aes-sha1!
The server config is set up thus:
conn %default
ikelifetime=24h
keylife=8h
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
dpdaction=clear
dpddelay=270
left=foo.bar.com
leftid=@foo.bar.com
leftsubnet=0.0.0.0/0
esp=aes-sha1-modp2048,aes-sha1-modp1024
mobike=no
auto=add
conn certs-only
authby=rsasig
leftcert=sgw.pem
rightid=@*.bar.com
rightsourceip=10.13.0.0/24
As the initial tunnel comes up, the client logs:
16[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
16[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
16[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
and:
12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
12[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Eight hours later, the server decides to rekey and we see the client log:
08[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No KE TSi TSr ]
08[LIB] size of DH secret exponent: 2047 bits
08[CFG] looking for a child config for 10.13.0.98/32 === 0.0.0.0/0
08[CFG] proposing traffic selectors for us:
08[CFG] 10.13.0.98/32 (derived from dynamic)
08[CFG] proposing traffic selectors for other:
08[CFG] 0.0.0.0/0 (derived from 0.0.0.0/0)
08[CFG] candidate "conn_1" with prio 5+5
08[CFG] found matching child config "conn_1" with prio 10
08[CFG] selecting proposal:
08[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
08[CFG] selecting proposal:
08[CFG] proposal matches
08[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
08[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
08[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
08[KNL] getting SPI for reqid {3}
08[KNL] got SPI c4beec6b for reqid {3}
08[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
08[ENC] added payload of type NOTIFY to message
As far as I can make out, the server has proposed "aes-sha1-modp2048" and
"aes-sha1-modp1024" (and extra ones), the client has recognised that it can
accept "aes-sha1-modp1024" and "aes-sha1" and chosen from the proposals to
accept "aes-sha1-modp1024" but then barfed.
The client sends back N(INVAL_KE) to the server and we then get into an
endless cycle of trying to renegotiate the tunnel rekey.
Is this because I have made the client specify
"esp=aes-sha1-modp1024,aes-sha1!"
whereas the server is using "esp=aes-sha1-modp2048,aes-sha1-modp1024" ?
It will be hard to change the "esp" line used by the client, but it is easy
(and desirable) to change the server config. Is there any way I can
configure the server to allow clients to renegotiate their DH during a rekey
and support a mix of clients that want either 1024-bit or 2048-bit DH ?
Or will I have to turn off DH renegotiation during a rekey (by getting the
server to use plain "esp=aes-sha1") until I have managed to get all of the
clients to transition to using 2048-bit DH only ?
Or (and I doubt this) is this a bug in strongSwan ?
Regards,
Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101201/a7d66305/attachment.html>
More information about the Users
mailing list