[strongSwan] ipv6ready IKEv2_Self_Test v1.0.3 failing with strongSwan

Jiri Bohac jbohac at suse.cz
Tue Jul 20 23:03:04 CEST 2010


Hi,

I have been trying to run the ipv6ready IKEv2_Self_Test against strongSwan
on SLES 11 SP1, as part of our preparation for the USGv6 certification. I
have encountered numerous problems. Below, I am listing a few examples
where I manged to pinpoint the problem.

The problem always turned out to be in the IKEv2 test scripts, not strongSwan.

Unfortunately, the IKEv2_Self_Test is part of the USGv6 test specifications:
http://w3.antd.nist.gov/usgv6/test-specifications.html
http://w3.antd.nist.gov/usgv6/TSTs/IKEv2_v1.0_C.html

The current (and also mandated by USGv6) version of the test tool is 1.0.3.
Since then, a new (v1.1.0) ipv6ready IKEv2 test specification has been published:
http://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf
However, the test tool is not yet (publicly?) available.

The first problem I actually debugged turned to be an issue already known to
the ipv6ready guys. The tests get confused by strongSwan obeying:
   "initiator SHOULD include as the first traffic selector in each of TSi
    and TSr a very specific traffic selector including the addresses in
    the packet triggering the request." [RFC 4306].
See http://www.tahi.org/users/mail-list/201005.month/1691.html
strongSwan does this sice commit a13c013b. I reverted that for further testing.

The new v1.1.0 test specification has removed many of the test cases that
I see failing in the 1.0.3 version (good! the ones I looked into fail for
totally bogus reasons). I list all the failures below, the
tests removed in v1.1.0 are marked with an asterisk:

	12 *	Test IKEv2.EN.I.1.1.3.4: Close Connection when receiving INITIAL_CONTACT
	13 *	Test IKEv2.EN.I.1.1.3.5: Sending Liveness check
	14	Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA
	15 *	Test IKEv2.EN.I.1.1.3.7: Sending Delete Payload for CHILD_SA
	16 *	Test IKEv2.EN.I.1.1.3.8: Sending Liveness check with unprotected messages
	17	Test IKEv2.EN.I.1.1.4.1 Part A: Invalid payload type 1
	18	Test IKEv2.EN.I.1.1.4.1 Part B: Invalid payload type 32
	19	Test IKEv2.EN.I.1.1.4.1 Part C: Invalid payload type 49
	20	Test IKEv2.EN.I.1.1.4.1 Part D: Invalid payload type 255
	21	Test IKEv2.EN.I.1.1.4.2 Part A: Invalid payload type 1
	22	Test IKEv2.EN.I.1.1.4.2 Part B: Invalid payload type 32
	23	Test IKEv2.EN.I.1.1.4.2 Part C: Invalid payload type 49
	24	Test IKEv2.EN.I.1.1.4.2 Part D: Invalid payload type 255
	26	Test IKEv2.EN.I.1.1.5.2: Interaction of COOKIE and INVALID_KE_PAYLOAD
	27	Test IKEv2.EN.I.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Responder
	28	Test IKEv2.EN.I.1.1.6.1 Part A: Encryption Algorithm ENCR_AES_CBC
	29 *	Test IKEv2.EN.I.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR
	30	Test IKEv2.EN.I.1.1.6.1 Part C: Pseudo-random Function PRF_AES128_XCBC
	31	Test IKEv2.EN.I.1.1.6.1 Part D: Integrity Algorithm AUTH_AES_XCBC_96
	32	Test IKEv2.EN.I.1.1.6.1 Part E: D-H Group Group 14
	33	Test IKEv2.EN.I.1.1.6.2 Part A: Encryption Algorithm ENCR_AES_CBC
	34	Test IKEv2.EN.I.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR
	35	Test IKEv2.EN.I.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL
	36	Test IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96
	37	Test IKEv2.EN.I.1.1.6.2 Part E: Integrity Algorithm NONE
	38	Test IKEv2.EN.I.1.1.6.2 Part F: Extended Sequence Numbers
	39	Test IKEv2.EN.I.1.1.6.3 Part A: Multiple Encryption Algorithms
	40	Test IKEv2.EN.I.1.1.6.3 Part B: Multiple Pseudo-random Functions
	41	Test IKEv2.EN.I.1.1.6.3 Part C: Multiple Integrity Algorithms
	42	Test IKEv2.EN.I.1.1.6.3 Part D: Multiple D-H Groups
	44	Test IKEv2.EN.I.1.1.6.5 Part A: Multiple Encryption Algorithms
	45	Test IKEv2.EN.I.1.1.6.5 Part B: Multiple Integrity Algorithms
	46	Test IKEv2.EN.I.1.1.6.5 Part C: Multiple Extended Sequence Numbers
	47	Test IKEv2.EN.I.1.1.6.6: Sending Multiple Proposals
	48	Test IKEv2.EN.I.1.1.6.7: Receipt of INVALID_KE_PAYLOAD
	49 *	Test IKEv2.EN.I.1.1.6.8: Receipt of NO_PROPOSAL_CHOSEN
	50	Test IKEv2.EN.I.1.1.6.9: Response with inconsistent SA Proposal for IKE_SA
	52	Test IKEv2.EN.I.1.1.6.11 Part A: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD
	53	Test IKEv2.EN.I.1.1.6.11 Part B: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD
	54	Test IKEv2.EN.I.1.1.6.12: Creating an IKE_SA without a CHILD_SA
	55	Test IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors
	56 *	Test IKEv2.EN.I.1.1.8.1 Part A: INVALID_IKE_SPI Different IKE_SA Initiator's SPI
	57 *	Test IKEv2.EN.I.1.1.8.1 Part B: INVALID_IKE_SPI Different IKE_SA Responder's SPI
	58 *	Test IKEv2.EN.I.1.1.8.2: INVALID_SELECTORS
	59	Test IKEv2.EN.I.1.1.10.1: Sending Certificate Payload
	60	Test IKEv2.EN.I.1.1.10.2: Sending Certificate Request Payload
	61	Test IKEv2.EN.I.1.1.10.3: RSA Digital Signature
	64	Test IKEv2.EN.I.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response
	66	Test IKEv2.EN.I.1.1.11.4: Unrecognized Notify Message Type of Error
	68	Test IKEv2.EN.I.1.2.1.1: Sending CREATE_CHILD_SA request
	69	Test IKEv2.EN.I.1.2.2.1: Retransmission of CREATE_CHILD_SA request
	70	Test IKEv2.EN.I.1.2.2.2: Stop of retransmission of CREATE_CHILD_SA request
	71	Test IKEv2.EN.I.1.2.3.1: Close the replaced CHILD_SA
	72	Test IKEv2.EN.I.1.2.3.2: Receipt of cryptographically valid message on the new SA
	73	Test IKEv2.EN.I.1.2.3.3: Lifetime of CHILD_SA expires
	74	Test IKEv2.EN.I.1.2.3.4 Part A: Sending Multiple Transform for Rekeying CHILD_SA
	75	Test IKEv2.EN.I.1.2.3.4 Part B: Sending Multiple Transform for Rekeying CHILD_SA
	76	Test IKEv2.EN.I.1.2.3.4 Part C: Sending Multiple Transform for Rekeying CHILD_SA
	77	Test IKEv2.EN.I.1.2.3.5: Sending Multiple Proposal for Rekeying CHILD_SA
	78	Test IKEv2.EN.I.1.2.3.6: Rekeying Failure
	79	Test IKEv2.EN.I.1.2.3.7: Perfect Forward Secrecy
	80	Test IKEv2.EN.I.1.2.3.8: Use of the old CHILD_SA
	81	Test IKEv2.EN.I.1.2.4.1: Close the replaced IKE_SA
	82	Test IKEv2.EN.I.1.2.4.2: Receipt of cryptographically valid message on the new IKE_SA
	83	Test IKEv2.EN.I.1.2.4.3: Lifetime of IKE_SA expires
	84	Test IKEv2.EN.I.1.2.4.4 Part A: Sending Multiple Transform for Rekeying IKE_SA
	85	Test IKEv2.EN.I.1.2.4.4 Part B: Sending Multiple Transform for Rekeying IKE_SA
	86	Test IKEv2.EN.I.1.2.4.4 Part C: Sending Multiple Transform for Rekeying IKE_SA
	87	Test IKEv2.EN.I.1.2.4.4 Part D: Sending Multiple Transform for Rekeying IKE_SA
	88	Test IKEv2.EN.I.1.2.4.5: Sending Multiple Proposal for Rekeying IKE_SA
	89	Test IKEv2.EN.I.1.2.4.6: Use of the old IKE_SA
	90	Test IKEv2.EN.I.1.2.4.7: Changing PRFs when rekeying IKE_SA
	91	Test IKEv2.EN.I.1.2.5.1: Sending CREATE_CHILD_SA request
	92	Test IKEv2.EN.I.1.2.5.2: Receipt of cryptographically valid message on the new SA
	93 *	Test IKEv2.EN.I.1.2.6.1: Simulataneous CHILD_SA Close
	94 *	Test IKEv2.EN.I.1.2.6.2: Simulataneous IKE_SA Close
	95	Test IKEv2.EN.I.1.2.6.3: Simulataneous CHILD_SA Rekeying
	96	Test IKEv2.EN.I.1.2.6.4: Simulataneous CHILD_SA Rekeying with retransmission
	97	Test IKEv2.EN.I.1.2.6.5: Simulataneous IKE_SA Rekeying
	98 	Test IKEv2.EN.I.1.2.6.6: Simulataneous IKE_SA Rekeying with retransmission
	99 *	Test IKEv2.EN.I.1.2.6.7: Closing and Rekeying CHILD_SA
	100 *	Test IKEv2.EN.I.1.2.6.8: Closing a new CHILD_SA
	101 *	Test IKEv2.EN.I.1.2.6.9: Rekeying a new CHILD_SA
	102 *	Test IKEv2.EN.I.1.2.6.10: Rekeying an IKE_SA with half-open CHILD_SAs
	103 *	Test IKEv2.EN.I.1.2.6.11: Rekeying a CHILD_SA while rekeying an IKE_SA
	104 *	Test IKEv2.EN.I.1.2.6.12: Rekeying an IKE_SA with half-closed CHILD_SAs
	105 *	Test IKEv2.EN.I.1.2.6.13: Closing a CHILD_SA while rekeying an IKE_SA
	106 * 	Test IKEv2.EN.I.1.2.6.14: Closing an IKE_SA while rekeying an IKE_SA
	107 *	Test IKEv2.EN.I.1.2.6.15: Rekeying an IKE_SA while closing the IKE_SA
	108	Test IKEv2.EN.I.1.2.7.1: Non zero RESERVED fields in CREATE_CHILD_SA response
	109 * 	Test IKEv2.EN.I.1.3.1.1: Sending INFORMATIONAL request
	110 *	Test IKEv2.EN.I.1.3.2.1: Retransmission of INFORMATIONAL request
	111 *	Test IKEv2.EN.I.1.3.2.2: Stop of retransmission of INFORMATIONAL request
	112 *	Test IKEv2.EN.I.1.3.3.1: Non zero RESERVED fields in INFORMATIONAL response
	113 *	Test IKEv2.EN.I.1.3.4.1: INVALID_SPI
	116  	Test IKEv2.EN.I.2.1.1.1: Sending IKE_AUTH request
	117	Test IKEv2.EN.I.2.1.1.2: Use of CHILD_SA
	118	Test IKEv2.EN.I.2.1.2.1: Sending CFG_REQUEST
	119	Test IKEv2.EN.I.2.1.2.2: Receipt of CFG_REPLY
	120	Test IKEv2.EN.I.2.1.2.3: Non zero RESERVED fileds in Configuration Payload
	121	Test IKEv2.EN.I.2.1.2.4: Receiving IKE_AUTH response without CFG_REPLY
	122	Test IKEv2.EN.I.2.1.2.5: Receiving unrecognized Configuration Attributes
	132 *	Test IKEv2.EN.R.1.1.3.3: Close Connections when receiving INITIAL_CONTACT
	136	Test IKEv2.EN.R.1.1.4.1: Receipt of a larger minor version number
	142	Test IKEv2.EN.R.1.1.4.4 Part A: Invalid payload type 1
	143	Test IKEv2.EN.R.1.1.4.4 Part B: Invalid payload type 32
	144	Test IKEv2.EN.R.1.1.4.4 Part C: Invalid payload type 49
	145	Test IKEv2.EN.R.1.1.4.4 Part D: Invalid payload type 255
	146	Test IKEv2.EN.R.1.1.4.5: Invalid Payload Order
	147 *	Test IKEv2.EN.R.1.1.5.1: Cookies
	148 *	Test IKEv2.EN.R.1.1.5.2: Invalid Cookies
	149 *	Test IKEv2.EN.R.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD
	150 *	Test IKEv2.EN.R.1.1.5.4: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Initiator
	152 *	Test IKEv2.EN.R.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR
	157	Test IKEv2.EN.R.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR
	158	Test IKEv2.EN.R.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL
	159	Test IKEv2.EN.R.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96
	160	Test IKEv2.EN.R.1.1.6.2 Part E: Integrity Algorithm NONE
	161	Test IKEv2.EN.R.1.1.6.2 Part F: Extended Sequence Number
	176	Test IKEv2.EN.R.1.1.6.7: Sending of INVALID_KE_PAYLOAD
	178	Test IKEv2.EN.R.1.1.6.9: Creating an IKE_SA without a CHILD_SA
	179	Test IKEv2.EN.R.1.1.7.1: Narrowing the range of members of the set of traffic selectors
	181	Test IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
	182	Test IKEv2.EN.R.1.1.8.1 Part A: Different IKE_SA Initiator's SPI
	183 *	Test IKEv2.EN.R.1.1.8.1 Part B: Different IKE_SA Responder's SPI
	184 *	Test IKEv2.EN.R.1.1.8.2: INVALID_SYNTAX
	185 *	Test IKEv2.EN.R.1.1.8.3: INVALID_SELECTORS
	186	Test IKEv2.EN.R.1.1.10.1: Sending Certificate Payload
	187	Test IKEv2.EN.R.1.1.10.2: Sending Certificate Request Payload
	188	Test IKEv2.EN.R.1.1.10.3: RSA Digital Signature
	191	Test IKEv2.EN.R.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response
	198	Test IKEv2.EN.R.1.2.3.1: Receiving Delete Payload for Multiple CHILD_SA
	201	Test IKEv2.EN.R.1.2.5.2: Receipt of cryptographically protected message on the old SA and the new SA
	209	Test IKEv2.EN.R.1.2.5.6: Use of the old CHILD_SA
	212	Test IKEv2.EN.R.1.2.6.3: Use of the old IKE_SA
	213	Test IKEv2.EN.R.1.2.6.4: Close the replaced IKE_SA
	223	Test IKEv2.EN.R.1.2.6.8: D-H Transform NONE when rekeying the iKE_SA
	224	Test IKEv2.EN.R.1.2.7.1: Receipt of cryptographically valid message on the new CHILD_SA
	233	Test IKEv2.EN.R.2.1.1.1: Receipt of IKE_AUTH request
	234	Test IKEv2.EN.R.2.1.1.2: Use of CHILD_SA

	The full TAHI report can be found at
	http://labs.suse.cz/jbohac/strongswan_ikev2_self_test/report1/
	(this is report is not from a clean run, some of the tests have
	been re-run individually)


E.g., "12 *    Test IKEv2.EN.I.1.1.3.4: Close Connection when
receiving INITIAL_CONTACT" is clearly a test/remotescript
problem. After the IKE_SA_INIT/IKE_SA_AUTH/ICMP_ECHO exchanges, the
test expects a new IKE_SA_INIT packet. However, the test script
merely invokes ping6 on the NUT, which still has a valid SA.
Nothing that would force the NUT to re-start the IKE negotiation.
And furthermore, it does not wait for the IKE_SA_INIT long enough 
for the ping6 to even be invoked, at least with my serial setup.
Despite the test spec says:
	"8. NUT starts to negotiate with TN1 by sending IKE_SA_INIT
	request. If rebooting NUT to start negotiation again is needed, 
	it is possible to reboot NUT."
The test/remote script does nothing like that. And I don't see an
easy way to fix this in the remote script without modifying the
test script.


Example of one of the non-deprecated failing tests that I
debugged:

"14: Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA" again
looks like the testsuite is broken.  The test spec says: "In addition, set
IKE_SA Lifetime to 60 seconds and set CHILD_SA Lifetime to 30 seconds.
I modified koi/bin/remotes/linux-strongswan/ikev2.rmt to set
ipsec.conf with: "ikelifetime=60s, keylife=30s, rekeymargin=3s" and Boom!:
	"Different Exchange Type (received: CREATE_CHILD_SA, expected:
	INFORMATIONAL); Not match with packet('EN-I-1-1-3-7.1')"
Apparently, the test gets confused by the CREATE_CHILD_SA re-negotiating
the CHILD_SA that expired after 30s, while waiting for the re-negotiation
of the IKE_SA that will expire 30 seconds later. Unsurprisingly, with keylife=30m, 
the test PASSes.

Another weirdness:
The test spec says to set the IKE_SA Lifetime to different values
(e.g. IKEv2.EN.I.1.1.3.7 and IKEv2.EN.I.1.1.3.6). But it is set
to a fixed value in the default ikev2.rmt that comes with
koi-2.1.8. The test scripts don't set the values requested by the
test spec.



I just wonder:

- Is the IKEv2_Self_Test even supposed to work? I wonder how it
  could...

- Has anyone run the IKEv2_Self_Test with more success? Any tips&tricks,
  custom remote files, configs, whatever?

- Is anyone else interested in The USGv6 certification with strongSwan?
  Has anyone talked about this with any of the accredited testing labs?

- Is some kind of pre-release version of the 1.1.0 IKEv2_Self_Test
  available anywhere? Curious if any of the above issues got fixed there
  (apart of those where the tests have been removed completely,
  of course).

Thanks for any hints, 


-- 
Jiri Bohac <jbohac at suse.cz>
SUSE Labs, SUSE CZ





More information about the Users mailing list