[strongSwan] strongswan: charon not reacting for higher major version in IKE header

Andreas Steffen andreas.steffen at strongswan.org
Sat Jun 30 20:41:19 CEST 2012 

Are you using the charon daemon with the socket-raw plugin which
filters and processes IKE major version 2 only or the socket-default
plugin which processes all IKE packets irrespective of the major
version? ipsec statusall shows which plugin is loaded.

Regards

Andreas

On 30.06.2012 20:05, gowrishankar wrote:
> Hi Andreas,
> 
> I tested in strongswan-5.0.0rc1 as well, but same problem.
> I'll debug some more and post here updates.
> 
> Thanks,
> Gowri Shankar
> 
> On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote:
>> Hi Gowri,
>>
>> have a look at the following piece of code in the git repository
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409
>>
>>
>> which is the basis of today's strongSwan 5.0.0 release.
>>
>> Regards
>>
>> Andreas
>>
>> On 06/30/2012 09:13 AM, gowrishankar wrote:
>>> strongswan: charon not reacting for higher major version in IKE header
>>>
>>> strongswan libcharon is found to be not reacting for invalid (or
>>> higher) major version in IKE header of received packet.
>>>
>>> As per RFC 4306 Section 2.5:
>>>      If an endpoint receives a message with a higher major version
>>> number,
>>>      it MUST drop the message and SHOULD send an unauthenticated
>>>      notification message containing the highest version number it
>>>      supports.
>>>
>>> and RFC 5996 Section 2.5 clarifies the notification message type as
>>> "INVALID_MAJOR_VERSION". Though current implementation shows
>>> portion of code libcharon/network/receiver.c, but it is not executing
>>> while sending IKE_SA_INIT request with invalid major version (and
>>> I am not seeing any debug info in charon.log for received packet
>>> by net or enc threads).
>>>
>>> I tested with strongswan based on 4.6.
>>>
>>> Can some one have a look on this ?
>>>
>>> Thanks,
>>> Gowri Shankar
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4502 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120630/8361fdda/attachment.bin>

More information about the Users mailing list