[strongSwan] ipv6ready IKEv2_Self_Test v1.0.3 failing with strongSwan
Jiri Bohac
jbohac at suse.cz
Tue Jul 20 23:03:04 CEST 2010
Hi,
I have been trying to run the ipv6ready IKEv2_Self_Test against strongSwan
on SLES 11 SP1, as part of our preparation for the USGv6 certification. I
have encountered numerous problems. Below, I am listing a few examples
where I manged to pinpoint the problem.
The problem always turned out to be in the IKEv2 test scripts, not strongSwan.
Unfortunately, the IKEv2_Self_Test is part of the USGv6 test specifications:
http://w3.antd.nist.gov/usgv6/test-specifications.html
http://w3.antd.nist.gov/usgv6/TSTs/IKEv2_v1.0_C.html
The current (and also mandated by USGv6) version of the test tool is 1.0.3.
Since then, a new (v1.1.0) ipv6ready IKEv2 test specification has been published:
http://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf
However, the test tool is not yet (publicly?) available.
The first problem I actually debugged turned to be an issue already known to
the ipv6ready guys. The tests get confused by strongSwan obeying:
"initiator SHOULD include as the first traffic selector in each of TSi
and TSr a very specific traffic selector including the addresses in
the packet triggering the request." [RFC 4306].
See http://www.tahi.org/users/mail-list/201005.month/1691.html
strongSwan does this sice commit a13c013b. I reverted that for further testing.
The new v1.1.0 test specification has removed many of the test cases that
I see failing in the 1.0.3 version (good! the ones I looked into fail for
totally bogus reasons). I list all the failures below, the
tests removed in v1.1.0 are marked with an asterisk:
12 * Test IKEv2.EN.I.1.1.3.4: Close Connection when receiving INITIAL_CONTACT
13 * Test IKEv2.EN.I.1.1.3.5: Sending Liveness check
14 Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA
15 * Test IKEv2.EN.I.1.1.3.7: Sending Delete Payload for CHILD_SA
16 * Test IKEv2.EN.I.1.1.3.8: Sending Liveness check with unprotected messages
17 Test IKEv2.EN.I.1.1.4.1 Part A: Invalid payload type 1
18 Test IKEv2.EN.I.1.1.4.1 Part B: Invalid payload type 32
19 Test IKEv2.EN.I.1.1.4.1 Part C: Invalid payload type 49
20 Test IKEv2.EN.I.1.1.4.1 Part D: Invalid payload type 255
21 Test IKEv2.EN.I.1.1.4.2 Part A: Invalid payload type 1
22 Test IKEv2.EN.I.1.1.4.2 Part B: Invalid payload type 32
23 Test IKEv2.EN.I.1.1.4.2 Part C: Invalid payload type 49
24 Test IKEv2.EN.I.1.1.4.2 Part D: Invalid payload type 255
26 Test IKEv2.EN.I.1.1.5.2: Interaction of COOKIE and INVALID_KE_PAYLOAD
27 Test IKEv2.EN.I.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Responder
28 Test IKEv2.EN.I.1.1.6.1 Part A: Encryption Algorithm ENCR_AES_CBC
29 * Test IKEv2.EN.I.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR
30 Test IKEv2.EN.I.1.1.6.1 Part C: Pseudo-random Function PRF_AES128_XCBC
31 Test IKEv2.EN.I.1.1.6.1 Part D: Integrity Algorithm AUTH_AES_XCBC_96
32 Test IKEv2.EN.I.1.1.6.1 Part E: D-H Group Group 14
33 Test IKEv2.EN.I.1.1.6.2 Part A: Encryption Algorithm ENCR_AES_CBC
34 Test IKEv2.EN.I.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR
35 Test IKEv2.EN.I.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL
36 Test IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96
37 Test IKEv2.EN.I.1.1.6.2 Part E: Integrity Algorithm NONE
38 Test IKEv2.EN.I.1.1.6.2 Part F: Extended Sequence Numbers
39 Test IKEv2.EN.I.1.1.6.3 Part A: Multiple Encryption Algorithms
40 Test IKEv2.EN.I.1.1.6.3 Part B: Multiple Pseudo-random Functions
41 Test IKEv2.EN.I.1.1.6.3 Part C: Multiple Integrity Algorithms
42 Test IKEv2.EN.I.1.1.6.3 Part D: Multiple D-H Groups
44 Test IKEv2.EN.I.1.1.6.5 Part A: Multiple Encryption Algorithms
45 Test IKEv2.EN.I.1.1.6.5 Part B: Multiple Integrity Algorithms
46 Test IKEv2.EN.I.1.1.6.5 Part C: Multiple Extended Sequence Numbers
47 Test IKEv2.EN.I.1.1.6.6: Sending Multiple Proposals
48 Test IKEv2.EN.I.1.1.6.7: Receipt of INVALID_KE_PAYLOAD
49 * Test IKEv2.EN.I.1.1.6.8: Receipt of NO_PROPOSAL_CHOSEN
50 Test IKEv2.EN.I.1.1.6.9: Response with inconsistent SA Proposal for IKE_SA
52 Test IKEv2.EN.I.1.1.6.11 Part A: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD
53 Test IKEv2.EN.I.1.1.6.11 Part B: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD
54 Test IKEv2.EN.I.1.1.6.12: Creating an IKE_SA without a CHILD_SA
55 Test IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors
56 * Test IKEv2.EN.I.1.1.8.1 Part A: INVALID_IKE_SPI Different IKE_SA Initiator's SPI
57 * Test IKEv2.EN.I.1.1.8.1 Part B: INVALID_IKE_SPI Different IKE_SA Responder's SPI
58 * Test IKEv2.EN.I.1.1.8.2: INVALID_SELECTORS
59 Test IKEv2.EN.I.1.1.10.1: Sending Certificate Payload
60 Test IKEv2.EN.I.1.1.10.2: Sending Certificate Request Payload
61 Test IKEv2.EN.I.1.1.10.3: RSA Digital Signature
64 Test IKEv2.EN.I.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response
66 Test IKEv2.EN.I.1.1.11.4: Unrecognized Notify Message Type of Error
68 Test IKEv2.EN.I.1.2.1.1: Sending CREATE_CHILD_SA request
69 Test IKEv2.EN.I.1.2.2.1: Retransmission of CREATE_CHILD_SA request
70 Test IKEv2.EN.I.1.2.2.2: Stop of retransmission of CREATE_CHILD_SA request
71 Test IKEv2.EN.I.1.2.3.1: Close the replaced CHILD_SA
72 Test IKEv2.EN.I.1.2.3.2: Receipt of cryptographically valid message on the new SA
73 Test IKEv2.EN.I.1.2.3.3: Lifetime of CHILD_SA expires
74 Test IKEv2.EN.I.1.2.3.4 Part A: Sending Multiple Transform for Rekeying CHILD_SA
75 Test IKEv2.EN.I.1.2.3.4 Part B: Sending Multiple Transform for Rekeying CHILD_SA
76 Test IKEv2.EN.I.1.2.3.4 Part C: Sending Multiple Transform for Rekeying CHILD_SA
77 Test IKEv2.EN.I.1.2.3.5: Sending Multiple Proposal for Rekeying CHILD_SA
78 Test IKEv2.EN.I.1.2.3.6: Rekeying Failure
79 Test IKEv2.EN.I.1.2.3.7: Perfect Forward Secrecy
80 Test IKEv2.EN.I.1.2.3.8: Use of the old CHILD_SA
81 Test IKEv2.EN.I.1.2.4.1: Close the replaced IKE_SA
82 Test IKEv2.EN.I.1.2.4.2: Receipt of cryptographically valid message on the new IKE_SA
83 Test IKEv2.EN.I.1.2.4.3: Lifetime of IKE_SA expires
84 Test IKEv2.EN.I.1.2.4.4 Part A: Sending Multiple Transform for Rekeying IKE_SA
85 Test IKEv2.EN.I.1.2.4.4 Part B: Sending Multiple Transform for Rekeying IKE_SA
86 Test IKEv2.EN.I.1.2.4.4 Part C: Sending Multiple Transform for Rekeying IKE_SA
87 Test IKEv2.EN.I.1.2.4.4 Part D: Sending Multiple Transform for Rekeying IKE_SA
88 Test IKEv2.EN.I.1.2.4.5: Sending Multiple Proposal for Rekeying IKE_SA
89 Test IKEv2.EN.I.1.2.4.6: Use of the old IKE_SA
90 Test IKEv2.EN.I.1.2.4.7: Changing PRFs when rekeying IKE_SA
91 Test IKEv2.EN.I.1.2.5.1: Sending CREATE_CHILD_SA request
92 Test IKEv2.EN.I.1.2.5.2: Receipt of cryptographically valid message on the new SA
93 * Test IKEv2.EN.I.1.2.6.1: Simulataneous CHILD_SA Close
94 * Test IKEv2.EN.I.1.2.6.2: Simulataneous IKE_SA Close
95 Test IKEv2.EN.I.1.2.6.3: Simulataneous CHILD_SA Rekeying
96 Test IKEv2.EN.I.1.2.6.4: Simulataneous CHILD_SA Rekeying with retransmission
97 Test IKEv2.EN.I.1.2.6.5: Simulataneous IKE_SA Rekeying
98 Test IKEv2.EN.I.1.2.6.6: Simulataneous IKE_SA Rekeying with retransmission
99 * Test IKEv2.EN.I.1.2.6.7: Closing and Rekeying CHILD_SA
100 * Test IKEv2.EN.I.1.2.6.8: Closing a new CHILD_SA
101 * Test IKEv2.EN.I.1.2.6.9: Rekeying a new CHILD_SA
102 * Test IKEv2.EN.I.1.2.6.10: Rekeying an IKE_SA with half-open CHILD_SAs
103 * Test IKEv2.EN.I.1.2.6.11: Rekeying a CHILD_SA while rekeying an IKE_SA
104 * Test IKEv2.EN.I.1.2.6.12: Rekeying an IKE_SA with half-closed CHILD_SAs
105 * Test IKEv2.EN.I.1.2.6.13: Closing a CHILD_SA while rekeying an IKE_SA
106 * Test IKEv2.EN.I.1.2.6.14: Closing an IKE_SA while rekeying an IKE_SA
107 * Test IKEv2.EN.I.1.2.6.15: Rekeying an IKE_SA while closing the IKE_SA
108 Test IKEv2.EN.I.1.2.7.1: Non zero RESERVED fields in CREATE_CHILD_SA response
109 * Test IKEv2.EN.I.1.3.1.1: Sending INFORMATIONAL request
110 * Test IKEv2.EN.I.1.3.2.1: Retransmission of INFORMATIONAL request
111 * Test IKEv2.EN.I.1.3.2.2: Stop of retransmission of INFORMATIONAL request
112 * Test IKEv2.EN.I.1.3.3.1: Non zero RESERVED fields in INFORMATIONAL response
113 * Test IKEv2.EN.I.1.3.4.1: INVALID_SPI
116 Test IKEv2.EN.I.2.1.1.1: Sending IKE_AUTH request
117 Test IKEv2.EN.I.2.1.1.2: Use of CHILD_SA
118 Test IKEv2.EN.I.2.1.2.1: Sending CFG_REQUEST
119 Test IKEv2.EN.I.2.1.2.2: Receipt of CFG_REPLY
120 Test IKEv2.EN.I.2.1.2.3: Non zero RESERVED fileds in Configuration Payload
121 Test IKEv2.EN.I.2.1.2.4: Receiving IKE_AUTH response without CFG_REPLY
122 Test IKEv2.EN.I.2.1.2.5: Receiving unrecognized Configuration Attributes
132 * Test IKEv2.EN.R.1.1.3.3: Close Connections when receiving INITIAL_CONTACT
136 Test IKEv2.EN.R.1.1.4.1: Receipt of a larger minor version number
142 Test IKEv2.EN.R.1.1.4.4 Part A: Invalid payload type 1
143 Test IKEv2.EN.R.1.1.4.4 Part B: Invalid payload type 32
144 Test IKEv2.EN.R.1.1.4.4 Part C: Invalid payload type 49
145 Test IKEv2.EN.R.1.1.4.4 Part D: Invalid payload type 255
146 Test IKEv2.EN.R.1.1.4.5: Invalid Payload Order
147 * Test IKEv2.EN.R.1.1.5.1: Cookies
148 * Test IKEv2.EN.R.1.1.5.2: Invalid Cookies
149 * Test IKEv2.EN.R.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD
150 * Test IKEv2.EN.R.1.1.5.4: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Initiator
152 * Test IKEv2.EN.R.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR
157 Test IKEv2.EN.R.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR
158 Test IKEv2.EN.R.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL
159 Test IKEv2.EN.R.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96
160 Test IKEv2.EN.R.1.1.6.2 Part E: Integrity Algorithm NONE
161 Test IKEv2.EN.R.1.1.6.2 Part F: Extended Sequence Number
176 Test IKEv2.EN.R.1.1.6.7: Sending of INVALID_KE_PAYLOAD
178 Test IKEv2.EN.R.1.1.6.9: Creating an IKE_SA without a CHILD_SA
179 Test IKEv2.EN.R.1.1.7.1: Narrowing the range of members of the set of traffic selectors
181 Test IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
182 Test IKEv2.EN.R.1.1.8.1 Part A: Different IKE_SA Initiator's SPI
183 * Test IKEv2.EN.R.1.1.8.1 Part B: Different IKE_SA Responder's SPI
184 * Test IKEv2.EN.R.1.1.8.2: INVALID_SYNTAX
185 * Test IKEv2.EN.R.1.1.8.3: INVALID_SELECTORS
186 Test IKEv2.EN.R.1.1.10.1: Sending Certificate Payload
187 Test IKEv2.EN.R.1.1.10.2: Sending Certificate Request Payload
188 Test IKEv2.EN.R.1.1.10.3: RSA Digital Signature
191 Test IKEv2.EN.R.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response
198 Test IKEv2.EN.R.1.2.3.1: Receiving Delete Payload for Multiple CHILD_SA
201 Test IKEv2.EN.R.1.2.5.2: Receipt of cryptographically protected message on the old SA and the new SA
209 Test IKEv2.EN.R.1.2.5.6: Use of the old CHILD_SA
212 Test IKEv2.EN.R.1.2.6.3: Use of the old IKE_SA
213 Test IKEv2.EN.R.1.2.6.4: Close the replaced IKE_SA
223 Test IKEv2.EN.R.1.2.6.8: D-H Transform NONE when rekeying the iKE_SA
224 Test IKEv2.EN.R.1.2.7.1: Receipt of cryptographically valid message on the new CHILD_SA
233 Test IKEv2.EN.R.2.1.1.1: Receipt of IKE_AUTH request
234 Test IKEv2.EN.R.2.1.1.2: Use of CHILD_SA
The full TAHI report can be found at
http://labs.suse.cz/jbohac/strongswan_ikev2_self_test/report1/
(this is report is not from a clean run, some of the tests have
been re-run individually)
E.g., "12 * Test IKEv2.EN.I.1.1.3.4: Close Connection when
receiving INITIAL_CONTACT" is clearly a test/remotescript
problem. After the IKE_SA_INIT/IKE_SA_AUTH/ICMP_ECHO exchanges, the
test expects a new IKE_SA_INIT packet. However, the test script
merely invokes ping6 on the NUT, which still has a valid SA.
Nothing that would force the NUT to re-start the IKE negotiation.
And furthermore, it does not wait for the IKE_SA_INIT long enough
for the ping6 to even be invoked, at least with my serial setup.
Despite the test spec says:
"8. NUT starts to negotiate with TN1 by sending IKE_SA_INIT
request. If rebooting NUT to start negotiation again is needed,
it is possible to reboot NUT."
The test/remote script does nothing like that. And I don't see an
easy way to fix this in the remote script without modifying the
test script.
Example of one of the non-deprecated failing tests that I
debugged:
"14: Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA" again
looks like the testsuite is broken. The test spec says: "In addition, set
IKE_SA Lifetime to 60 seconds and set CHILD_SA Lifetime to 30 seconds.
I modified koi/bin/remotes/linux-strongswan/ikev2.rmt to set
ipsec.conf with: "ikelifetime=60s, keylife=30s, rekeymargin=3s" and Boom!:
"Different Exchange Type (received: CREATE_CHILD_SA, expected:
INFORMATIONAL); Not match with packet('EN-I-1-1-3-7.1')"
Apparently, the test gets confused by the CREATE_CHILD_SA re-negotiating
the CHILD_SA that expired after 30s, while waiting for the re-negotiation
of the IKE_SA that will expire 30 seconds later. Unsurprisingly, with keylife=30m,
the test PASSes.
Another weirdness:
The test spec says to set the IKE_SA Lifetime to different values
(e.g. IKEv2.EN.I.1.1.3.7 and IKEv2.EN.I.1.1.3.6). But it is set
to a fixed value in the default ikev2.rmt that comes with
koi-2.1.8. The test scripts don't set the values requested by the
test spec.
I just wonder:
- Is the IKEv2_Self_Test even supposed to work? I wonder how it
could...
- Has anyone run the IKEv2_Self_Test with more success? Any tips&tricks,
custom remote files, configs, whatever?
- Is anyone else interested in The USGv6 certification with strongSwan?
Has anyone talked about this with any of the accredited testing labs?
- Is some kind of pre-release version of the 1.1.0 IKEv2_Self_Test
available anywhere? Curious if any of the above issues got fixed there
(apart of those where the tests have been removed completely,
of course).
Thanks for any hints,
--
Jiri Bohac <jbohac at suse.cz>
SUSE Labs, SUSE CZ
More information about the Users
mailing list