[strongSwan] strongswan and Win2003

Alexander Sbitnev alexander.sbitnev at gmail.com
Fri Jun 13 21:10:35 CEST 2014 

Strongswan in my case is 192.168.100.8 and Win2003 is 192.168.100.1.
Win2003 produce correct IDi and wrong type IDr payload, which inside 
get_ts() function incorrectly translated into endpoint address instead 
of network.
Strongswan is the one who generates INFORMATIONAL to Win2003. And I 
suppose it is INVALID-PAYLOAD-TYPE notification.
Here is notification payload:

11[ENC] generating NOTIFY_V1 payload finished
11[ENC] generated data for this payload => 16 bytes @ 0x7f061c00c234
11[ENC]    0: 00 00 00 10 00 00 00 01 03 04 00 01 2F A4 AD 83 
............/...


On 06/14/2014 12:19 AM, Steve Baillargeon wrote:
> Hi Alexander
> It looks like the window endpoint when acting as responder is not properly narrowing the TSi or TSr ( I suspect it is TSr).
>
> I assume the address 192.168.100.1 belongs to window endpoint and it is trying to use it for both IKE SA and Child SA which is not what you are looking for.
>
> Can you confirm the strongSwan endpoint is sending an INFORMATIONAL request to the window endpoint when it notices the response to Child SA setup includes an incorrect TS?
> Can you confirm the error notification that stronSwan is sending is TS_UNACCEPTABLE?
>
> Thanks
>
> -Steve
>
>
>
> -----Original Message-----
> From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Alexander Sbitnev
> Sent: June-13-14 9:25 AM
> To: users at lists.strongswan.org
> Subject: [strongSwan] strongswan and Win2003
>
>     Hi there!
>     I've stumble upon a problem while trying to create connection in between strongswan and windows 2003 vanilla IKE.
> Site-to-site with PSK auth. Strongswan version 5.1.1.
> To me right now it looks like a bug on windows side, but my knowledge is limited and there can be something I don't know.
> So I will be happy with any comments on the situation. Is it known? Is it something wrong in my config?
> And at last, is it worth it to deal with Microsoft IKE? (I suppose it not, but still some need to figure things out killing me :)
>
> Problem happening on the second phase of IKE, only in the case if
> win2003 peer act as a responder.
> In the second packet of QUICK mode (generated on windows) there is two
> ID_V1 payloads and only one of them in address form.
> Second one (represent responding/win2003 side) is actually in FQDN form.
> As a result "peer selected invalid traffic selectors" error occurring.
> If windows side is acting as initiator everything works fine.
>
> Here is dumps of decrypted payloads from QUICK mode packets generated on win2003. Last 32 bytes is two ID payloads:
> 1) win2003 initiator, first packet of QM:
> 13[ENC]    0: 01 00 00 18 60 67 F4 FE 02 25 FA AE 35 52 38 D5
> ....`g...%..5R8.
> 13[ENC]   16: 11 83 3A E0 6A EA 50 DB 0A 00 00 34 00 00 00 01
> ..:.j.P....4....
> 13[ENC]   32: 00 00 00 01 00 00 00 28 01 03 04 01 3E 4E 47 82
> .......(....>NG.
> 13[ENC]   48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
> ................
> 13[ENC]   64: 00 00 07 08 80 04 F0 03 80 05 00 02 05 00 00 18
> ................
> 13[ENC]   80: 41 61 7A 9B B7 40 3D E5 FA 6C 02 97 66 48 66 D9
> Aaz..@=..l..fHf.
> 13[ENC]   96: 78 98 DC 89 05 00 00 10 04 00 00 00 C0 A8 FE 00
> x...............
> 13[ENC]  112: FF FF FF 00 00 00 00 10 04 00 00 00 AC 10 01 00 ................
> 13[ENC]  128: FF FF FF 00 00 00 00 00 ........
>
> both IDs are in address form
>
> 2) win2003 responder, second packet of QM:
> 06[ENC]    0: 01 00 00 18 9B F4 3A B0 B5 08 11 09 0D 5D 75 A0
> ......:......]u.
> 06[ENC]   16: FE 8D F9 BB 93 19 0B C1 0A 00 00 34 00 00 00 01
> ...........4....
> 06[ENC]   32: 00 00 00 01 00 00 00 28 01 03 04 01 CE 94 11 DA
> .......(........
> 06[ENC]   48: 00 00 00 1C 01 03 00 00 80 01 00 01 00 02 00 04
> ................
> 06[ENC]   64: 00 00 04 B0 80 04 F0 03 80 05 00 02 05 00 00 18
> ................
> 06[ENC]   80: 3E C4 53 86 66 7C DF C7 F3 D2 C5 8B 5C 0C A0 81
>   >.S.f|......\...
> 06[ENC]   96: 6F 4D 7D B4 05 00 00 10 04 00 00 00 AC 10 01 00
> oM}.............
> 06[ENC]  112: FF FF FF 00 00 00 00 10 02 00 00 00 73 65 72 76 ............serv 06[ENC]  128: 32 30 30 33 00 00 00 00 2003....
>
> second ID is in form of FQDN encoding "serv2003" as id
>
>
> Just in case here is my config:
> conn win2003
>    esp=3des-sha1!
>    ike=3des-sha1-modp2048!
>    left=192.168.100.1
>    leftsubnet=192.168.254.0/24
>    right=192.168.100.8
>    rightsubnet=172.16.1.0/24
>    authby=secret
>    auto=add
>
> Approval handling log:
> 06[CFG] selecting proposal:
> 06[CFG]   proposal matches
> 06[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 06[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 06[IKE] peer selected invalid traffic selectors: 172.16.1.0/24 for 172.16.1.0/24, 192.168.100.1/32 for 192.168.254.0/24 06[IKE] queueing INFORMATIONAL task 06[IKE] activating new tasks
> 06[IKE]   activating INFORMATIONAL task
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list