[strongSwan] corruption in ike SAs
Nitin Verma
nitin.jndm at gmail.com
Wed May 9 13:54:51 CEST 2012
Hi,
I have been trying to establish ikev2 tunnel and encrypt traffic using
manual SAs on Android.
Details of my Setup:
==============
Android device: StrongSwan client. Config the virtual IP in ipsec.conf as
192.168.3.3
AP: AP_2: subnet 192.168.2.0/24: trusted network connected to server (for
which traffic need not go via ikev2 tunnel)
AP: AP_3: subnet 192.168.3.0/24: untrusted network connected to server (for
which traffic needs to be encrypted)
StrongSwan server: IP 192.168.1.154
Steps Followed:
1. I established the SAs first and then inserted the policies manually
using ip xfrm:
ip xfrm policy add dir out src 192.168.3.3/32 dst 192.168.1.154/32 proto
any priority 1000 tmpl src 192.168.3.3 dst 192.168.1.154 proto esp mode
tunnel reqid 1 level required
ip xfrm policy add dir in src 192.168.1.154/32 dst 192.168.3.3/32 proto any
priority 1000 tmpl src 192.168.1.154 dst 192.168.3.3 proto esp mode tunnel
reqid 1 level required
ip xfrm policy add dir fwd src 192.168.1.154/32 dst 192.168.3.3/32 proto
any priority 1000 tmpl src 192.168.1.154 dst 192.168.3.3 proto esp mode
tunnel reqid 1 level required
2. Based on the policies, when traffic (ping to the SS server) goes via
trusted network (device connected to AP_2) it remains in plaintext, while
when it goes via untrusted network (device connected to AP_3) it gets
encrypted and goes via IKEv2 tunnel.
3. After 4-5 iterations (random), when device gets connected to the
untrusted network from trusted, it could not ping the server. At that time
following are the outputs of ip xfrm:
root at android:/ # ip xfrm
state
src 192.168.1.154 dst 192.168.2.221
proto esp spi 0xc1b76809 reqid 1 mode tunnel
replay-window 0
sel src 192.168.1.154/32 dst 192.168.2.221/32
src 192.168.3.3 dst 192.168.1.154
proto esp spi 0x00000000 reqid 1 mode tunnel
replay-window 0
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456
sel src 192.168.3.3/32 dst 192.168.1.154/32 proto 1 type 8 code 0
dev if9
src 192.168.2.221 dst 192.168.1.154
proto esp spi 0xcf855e44 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0x92fde1dda8670763873e3363a658d58e62ef86f6
enc cbc(aes) 0x03ad19ca7a51632bb1fde65f7d1b1440
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.1.154 dst 192.168.2.221
proto esp spi 0xc49b5eaf reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth hmac(sha1) 0xc6b568b5222c9f4d6e8bb7c36d973310f6d2b8f0
enc cbc(aes) 0xf32902e01155cc106b89ef711a131db1
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
root at android:/data/local/tmp # ping 192.168.1.154
connect: Network is unreachable
root at android:/data/local/tmp # ping
192.168.1.154
connect: Network is unreachable
root at android:/data/local/tmp # ping
192.168.1.154
connect: Network is unreachable
root at android:/data/local/tmp # ping
192.168.1.154
connect: Network is unreachable
root at android:/data/local/tmp # iptables -L
-v
Chain INPUT (policy ACCEPT 1155 packets, 109K bytes)
pkts bytes target prot opt in out source
destination
0 0 all -- !lo+ any anywhere
anywhere ! quota globalAlert: 2097152 bytes
32 2304 ACCEPT all -- lo any anywhere
anywhere
109 18460 all -- any any anywhere
anywhere owner socket exists
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 2048 packets, 163K bytes)
pkts bytes target prot opt in out source
destination
0 0 all -- any !lo+ anywhere
anywhere ! quota globalAlert: 2097152 bytes
32 2304 ACCEPT all -- any lo anywhere
anywhere
2048 163K all -- any any anywhere
anywhere owner socket exists
Chain costly_shared (0 references)
pkts bytes target prot opt in out source
destination
0 0 penalty_box all -- any any anywhere
anywhere
0 0 all -- any any anywhere
anywhere owner socket exists
0 0 ACCEPT all -- any any anywhere
anywhere
Chain penalty_box (1 references)
pkts bytes target prot opt in out source
destination
4. After sometime, the entries shown by 'ip xfrm state' gets cleared but
network remains not reachable.
root at android:/data/local/tmp # ping 192.168.1.154
connect: Network is unreachable
5. At this moment, when I selected AP_2 for device, it started to ping the
network again.
6. When I selected the untrusted AP_3 now, the ikev2 SAs got established
again and ping messages started going in ESP.
==========================================================
Client's IPSEC.CONF:
config setup
plutostart=no
charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
conn %default
ikelifetime=60m
keylife=20m
keyexchange=ikev2
installpolicy=no
reauth=no
conn android
left=%any
leftid="abc"
leftauth=eap
leftsourceip=192.168.3.3
eap_identity=deepika
right=192.168.1.154
rightid=192.168.1.154
#rightsubnet=192.168.5.0/24
rightauth=pubkey
reqid=1
auto=route
=====================================================================
Logcat (at the time of Crash):
I/charon ( 1549): 12[IKE] sending keep alive
I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 15[IKE] old path is not available anymore, try to find
another
I/charon ( 1549): 15[IKE] no route found to reach 192.168.1.154, MOBIKE
update deferred
I/charon ( 1549): 03[KNL] 192.168.3.3 appeared on wlan0
I/charon ( 1549): 02[KNL] creating acquire job for policy
192.168.3.3/32[1/8] === 192.168.1.154/32[1] with reqid {1}
I/charon ( 1549): 11[IKE] establishing CHILD_SA android{1}
I/charon ( 1549): 11[ENC] generating CREATE_CHILD_SA request 23 [ SA No
TSi TSr ]
I/charon ( 1549): 11[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 16[IKE] old path is not available anymore, try to find
another
I/charon ( 1549): 16[IKE] requesting address change using MOBIKE
I/charon ( 1549): 03[KNL] fe80::a20b:baff:fec3:cf31 appeared on wlan0
I/charon ( 1549): 08[IKE] old path is not available anymore, try to find
another
I/charon ( 1549): 08[IKE] requesting address change using MOBIKE
D/dalvikvm( 201): GC_CONCURRENT freed 1031K, 12% free 17211K/19399K,
paused 6ms+3ms
D/DhcpInfoInternal( 201): makeLinkProperties with empty dns2!
D/DhcpInfoInternal( 201): makeLinkProperties with empty dns2!
D/ConnectivityService( 201): ConnectivityChange for WIFI:
CONNECTED/CONNECTED
W/NetworkStats( 201): dropping UID delta from unknown iface: iface=wlan0
uid=0 set=DEFAULT tag=0x0 rxBytes=576 rxPackets=1 txBytes=280 txPackets=4
operations=0
D/ConnectivityService( 201): ConnectivityChange for WIFI:
CONNECTED/CONNECTED
D/ConnectivityService( 201): handleConnectivityChange: address are the
same reset per doReset linkProperty[1]: resetMask=0
I/charon ( 1549): 04[IKE] old path is not available anymore, try to find
another
I/charon ( 1549): 04[IKE] requesting address change using MOBIKE
I/charon ( 1549): 12[IKE] retransmit 1 of request with message ID 23
I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 14[IKE] retransmit 2 of request with message ID 23
I/charon ( 1549): 14[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 07[IKE] retransmit 3 of request with message ID 23
I/charon ( 1549): 07[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 16[IKE] sending keep alive
I/charon ( 1549): 16[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 10[IKE] retransmit 4 of request with message ID 23
I/charon ( 1549): 10[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 13[IKE] sending keep alive
I/charon ( 1549): 13[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 04[IKE] sending keep alive
I/charon ( 1549): 04[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 12[IKE] retransmit 5 of request with message ID 23
I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 15[IKE] sending keep alive
I/charon ( 1549): 15[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 07[IKE] sending keep alive
I/charon ( 1549): 07[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 11[IKE] sending keep alive
I/charon ( 1549): 11[NET] sending packet: from 192.168.2.221[4500] to
192.168.1.154[4500]
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument
I/charon ( 1549): 02[KNL] creating delete job for ESP CHILD_SA with SPI
c1b76809 and reqid {1}
I/charon ( 1549): 10[IKE] giving up after 5 retransmits
I/charon ( 1549): 10[KNL] received netlink error: No such process (3)
I/charon ( 1549): 10[KNL] unable to delete SAD entry with SPI c1b76809
I/charon ( 1549): 03[KNL] 192.168.3.3 disappeared from wlan0
==================================================================
Any idea what is going wrong? The number of iterations is random. It seems
that strongSwan doesn't delete the old SAs' entries but created new ones
and hence some corruption.
Regards,
Nitin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120509/5c05fe92/attachment.html>
More information about the Users
mailing list