[strongSwan] strongswan: charon not reacting for higher major version in IKE header
gowrishankar.m at linux.vnet.ibm.com
Sun Jul 1 07:15:17 CEST 2012
Thanks a lot! Yes, It was using socket-raw (as pluto is also configured)
. I disabled
explicitly in configure option and enabled socket-default, and seeing
Jun 30 17:04:35 09[ENC] parsing rule 3 U_INT_4
Jun 30 17:04:35 09[ENC] => 3
Jun 30 17:04:35 09[ENC] parsing HEADER payload finished
Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request
Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from
y:y:y:1::1, sending INVALID_MAJOR_VERSION
On Sunday 01 July 2012 12:11 AM, Andreas Steffen wrote:
> Are you using the charon daemon with the socket-raw plugin which
> filters and processes IKE major version 2 only or the socket-default
> plugin which processes all IKE packets irrespective of the major
> version? ipsec statusall shows which plugin is loaded.
> On 30.06.2012 20:05, gowrishankar wrote:
>> Hi Andreas,
>> I tested in strongswan-5.0.0rc1 as well, but same problem.
>> I'll debug some more and post here updates.
>> Gowri Shankar
>> On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote:
>>> Hi Gowri,
>>> have a look at the following piece of code in the git repository
>>> which is the basis of today's strongSwan 5.0.0 release.
>>> On 06/30/2012 09:13 AM, gowrishankar wrote:
>>>> strongswan: charon not reacting for higher major version in IKE header
>>>> strongswan libcharon is found to be not reacting for invalid (or
>>>> higher) major version in IKE header of received packet.
>>>> As per RFC 4306 Section 2.5:
>>>> If an endpoint receives a message with a higher major version
>>>> it MUST drop the message and SHOULD send an unauthenticated
>>>> notification message containing the highest version number it
>>>> and RFC 5996 Section 2.5 clarifies the notification message type as
>>>> "INVALID_MAJOR_VERSION". Though current implementation shows
>>>> portion of code libcharon/network/receiver.c, but it is not executing
>>>> while sending IKE_SA_INIT request with invalid major version (and
>>>> I am not seeing any debug info in charon.log for received packet
>>>> by net or enc threads).
>>>> I tested with strongswan based on 4.6.
>>>> Can some one have a look on this ?
>>>> Gowri Shankar
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
More information about the Users