[strongSwan] Seemingly bogus scope id for FreeBSD strongswan 5.0.4

Riaan Kruger riaank at gmail.com
Tue Jul 30 14:34:56 CEST 2013 

It seems that strongswan version 5.0.4 (as well as 5.1.0 rc) writes a
malformed scope ids to the kernel when installing policies and secure
associations (using pfkey). The same setup on 4.5.3 does not add the scope
ids in the kernel.

Kernel Policies (setkey -DP)
100:200:300:400::2[any] 100:200:300:400::1[any] any
in ipsec
esp/tunnel/100:200:300:400::2%672264932-100:200:300:400::1%672264932/unique:1
created: Jul 30 14:09:03 2013  lastused: Jul 30 14:09:03 2013
lifetime: 2147483647(s) validtime: 0(s)
spid=76 seq=1 pid=37272
refcnt=1
100:200:300:400::1[any] 100:200:300:400::2[any] any
out ipsec
esp/tunnel/100:200:300:400::1%672264932-100:200:300:400::2%672264932/unique:1
created: Jul 30 14:09:03 2013  lastused: Jul 30 14:09:03 2013
lifetime: 2147483647(s) validtime: 0(s)
spid=75 seq=0 pid=37272
refcnt=1

Note the traffic selectors:
esp/tunnel/100:200:300:400::1%672264932-100:200:300:400::2%672264932/unique:1
A "strange" %6722... appended to the ip6 addresses

Part of the pfkey messages sent from strongswan to the kernel (setkey -x)
is as follows:
sadb_msg{ version=2 type=14 errno=0 satype=0
  len=26 reserved=0 seq=3 pid=35371
sadb_ext{ len=10 type=18 }
sadb_x_policy{ type=2 dir=2 id=37 }
 { len=64 proto=50 mode=2 level=3 reqid=1
sockaddr{ len=28 family=28 port=0
  flowinfo=0x00000001, scope_id=0x2811f2e4
 01000200 03000400 00000000 00000001  }
sockaddr{ len=28 family=28 port=0
  flowinfo=0x00000001, scope_id=0x2811f2e4
 01000200 03000400 00000000 00000002  }
 }

Note the line: flowinfo=0x00000001, scope_id=0x2811f2e4
It looks like the "strange" number seen in the SPD traffic selector is
passed as a scope_id attribute with setkey.


The pfkey plugin gets these scope id values to write into the SAD and
policies. I inserted a debug statement in
libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c (+- line 865) to print
out the scope_id of the host address passed in, and it contains the
scope_ids seen in the SPD (kernel policies)



My ipsec connection setup:
conn six
        also=certificate
        auto=route
        left=100:200:300:400::1
        right=100:200:300:400::2
        rightid="XXXXXXXXXXXXX"

My inteface config
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:79:f8:d6
inet6 fe80::20c:29ff:fe79:f8d6%em1 prefixlen 64 scopeid 0x4
inet 10.37.1.10 netmask 0xffffff00 broadcast 10.37.1.255
inet6 100:200:300:400::1 prefixlen 64
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

Regards
Riaan Kruger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130730/f52141bd/attachment.html>

More information about the Users mailing list