[strongSwan] strongswan: charon not reacting for higher major version in IKE header

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Sun Jul 1 08:30:15 CEST 2012


Hi Andreas,
I also realised now that, both charon and pluto can now be enabled
together wrt socket receiving side (and it was earlier a problem as in

http://wiki.strongswan.org/issues/123

and fixed in 4.5.0.

My another question here is, should charon-raw plugin report invalid
version notification instead of dropping the packet ?

Thanks,
Gowri Shankar

On Sunday 01 July 2012 10:45 AM, gowrishankar wrote:
> Hi Andreas,
> Thanks a lot! Yes, It was using socket-raw (as pluto is also 
> configured) . I disabled
> explicitly in configure option and enabled socket-default, and seeing 
> invalid version
> notification correctly.
>
> Jun 30 17:04:35 09[ENC]   parsing rule 3 U_INT_4
> Jun 30 17:04:35 09[ENC]    => 3
> ...
> Jun 30 17:04:35 09[ENC] parsing HEADER payload finished
> Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request
> Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from 
> y:y:y:1::1, sending INVALID_MAJOR_VERSION
>
>
> Thanks,
> Gowri Shankar
>
> On Sunday 01 July 2012 12:11 AM, Andreas Steffen wrote:
>> Are you using the charon daemon with the socket-raw plugin which
>> filters and processes IKE major version 2 only or the socket-default
>> plugin which processes all IKE packets irrespective of the major
>> version? ipsec statusall shows which plugin is loaded.
>>
>> Regards
>>
>> Andreas
>>
>> On 30.06.2012 20:05, gowrishankar wrote:
>>> Hi Andreas,
>>>
>>> I tested in strongswan-5.0.0rc1 as well, but same problem.
>>> I'll debug some more and post here updates.
>>>
>>> Thanks,
>>> Gowri Shankar
>>>
>>> On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote:
>>>> Hi Gowri,
>>>>
>>>> have a look at the following piece of code in the git repository
>>>>
>>>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409 
>>>>
>>>>
>>>>
>>>> which is the basis of today's strongSwan 5.0.0 release.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 06/30/2012 09:13 AM, gowrishankar wrote:
>>>>> strongswan: charon not reacting for higher major version in IKE 
>>>>> header
>>>>>
>>>>> strongswan libcharon is found to be not reacting for invalid (or
>>>>> higher) major version in IKE header of received packet.
>>>>>
>>>>> As per RFC 4306 Section 2.5:
>>>>>       If an endpoint receives a message with a higher major version
>>>>> number,
>>>>>       it MUST drop the message and SHOULD send an unauthenticated
>>>>>       notification message containing the highest version number it
>>>>>       supports.
>>>>>
>>>>> and RFC 5996 Section 2.5 clarifies the notification message type as
>>>>> "INVALID_MAJOR_VERSION". Though current implementation shows
>>>>> portion of code libcharon/network/receiver.c, but it is not executing
>>>>> while sending IKE_SA_INIT request with invalid major version (and
>>>>> I am not seeing any debug info in charon.log for received packet
>>>>> by net or enc threads).
>>>>>
>>>>> I tested with strongswan based on 4.6.
>>>>>
>>>>> Can some one have a look on this ?
>>>>>
>>>>> Thanks,
>>>>> Gowri Shankar
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>>
>





More information about the Users mailing list