[strongSwan] Unrecognized payload types and critical bit is not set, parsing CREATE_CHILD_SA response fails

kumuda kumuda at linux.vnet.ibm.com
Wed Sep 17 11:36:41 CEST 2014


Hi,

Test is to verify if IKEv2 device(configured as initiator) ignores invalid payload types when the invalid type payload's
   critical bit is not set.

Initial message exchange of IKE_SA_INIT and IKE_AUTH are successful. Waiting until lifetime of SA is expired and then
CREATE_CHILD_SA request is sent from Initiator. Responder sends CREATE_CHILD_SA response with Unrecognized payload
types(E payload's IKE Header Next Payload field is set to 1) and Critical bit is not set.

  IP Header
| | Version                    = 6
| | Source Address             = 2001:db8:f:1::1
| | Destination Address        = 2001:db8:1:1::1
| UDP Header
| | Source Port                = 500
| | Destination Port           = 500
| Internet Security Association and Key Management Protocol Payload
| | IKE Header
| | | IKE_SA Initiator's SPI         = 1a3f1895496c736a
| | | IKE_SA Responder's SPI         = dd83a7c8dc00d857
| | | Next Payload                   = 46 (E)
| | | Major Version                  = 2
| | | Minor Version                  = 0
| | | Exchange Type                  = 36 (CREATE_CHILD_SA)
| | | Flags                          = 32 (0b00100000)
| | | | Reserved  (XX000000)             = 0
| | | | Response  (00R00000)             = 1
| | | | Version   (000V0000)             = 0
| | | | Initiator (0000I000)             = 0
| | | | Reserved  (00000XXX)             = 0
| | | Message ID                     = 2 (0x2)
| | | Length                         = 444 (0x1bc)
| | | E Payload
| | | | Next Payload                   = 1 (1)
| | | | Critical                       = 0
| | | | Reserved                       = 0
| | | | Payload Length                 = 416 (0x1a0)
| | | | Initialization Vector          = a4ba9622a9657136
| | | | Encrypted IKE Payloads
| | | | | UNDEFINED Payload (type(1))
| | | | | | Next Payload                   = 41 (N)
| | | | | | Critical                       = 0
| | | | | | Reserved                       = 0
| | | | | | Payload Length                 = 4 (0x4)
| | | | | N Payload
| | | | | | Next Payload                   = 33 (SA)
| | | | | | Critical                       = 0
| | | | | | Reserved                       = 0
| | | | | | Payload Length                 = 8 (0x8)
| | | | | | Protocol ID                    = 0 (no relation)
| | | | | | SPI Size                       = 0
| | | | | | Notify Message Type            = 16391 (USE_TRANSPORT_MODE)


Parsing the response fails at the initiator side..
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 0 U_INT_8
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 41
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 1 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 2 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 3 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 4 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 5 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 6 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 7 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 8 RESERVED_BIT
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 0
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 9 PAYLOAD_LENGTH
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 4
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 10 U_INT_32
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 553648136
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 11 U_INT_32
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>    => 16391
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1>   parsing rule 12 (1258)
Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> could not decrypt payloads
Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> message parsing failed
Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> CREATE_CHILD_SA response with message ID 2 processing failed

Since the response parsing failed, session using the second negotiated algorithms are not established and tests fail.


Regards,
Kumuda G



More information about the Users mailing list