[strongSwan] strongswan: charon not reacting for higher major version in IKE header

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Sat Jun 30 20:05:52 CEST 2012


Hi Andreas,

I tested in strongswan-5.0.0rc1 as well, but same problem.
I'll debug some more and post here updates.

Thanks,
Gowri Shankar

On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote:
> Hi Gowri,
>
> have a look at the following piece of code in the git repository
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
>
> which is the basis of today's strongSwan 5.0.0 release.
>
> Regards
>
> Andreas
>
> On 06/30/2012 09:13 AM, gowrishankar wrote:
>> strongswan: charon not reacting for higher major version in IKE header
>>
>> strongswan libcharon is found to be not reacting for invalid (or
>> higher) major version in IKE header of received packet.
>>
>> As per RFC 4306 Section 2.5:
>>      If an endpoint receives a message with a higher major version number,
>>      it MUST drop the message and SHOULD send an unauthenticated
>>      notification message containing the highest version number it
>>      supports.
>>
>> and RFC 5996 Section 2.5 clarifies the notification message type as
>> "INVALID_MAJOR_VERSION". Though current implementation shows
>> portion of code libcharon/network/receiver.c, but it is not executing
>> while sending IKE_SA_INIT request with invalid major version (and
>> I am not seeing any debug info in charon.log for received packet
>> by net or enc threads).
>>
>> I tested with strongswan based on 4.6.
>>
>> Can some one have a look on this ?
>>
>> Thanks,
>> Gowri Shankar
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>





More information about the Users mailing list