[strongSwan] Unrecognized payload types and critical bit is not set, parsing CREATE_CHILD_SA response fails
kumuda
kumuda at linux.vnet.ibm.com
Wed Sep 17 12:04:32 CEST 2014
One more issue related to "Unrecognized payload types and critical bit
is not set" is
found when the device is configured as responder.
CREATE_CHILD_SA request including a payload with invalid payload type is
sent to responder.
The E payload's IKE Header Next Payload field is set to 1 and the
invalid payload's critical
flag is not set. The request includes a Notify Payload of type REKEY_SA
and rekeyed CHILD_SA's
SPI value in the SPI field to the responder.
Processing create_child_sa request fails and invalid_syntax notify
message is sent.
Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> could not decrypt payloads
Sep 16 08:49:43 15[IKE] <tahi_ikev2_test|1> message parsing failed
Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> added payload of type NOTIFY
to message
Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> added payload of type NOTIFY
to message
Sep 16 08:49:43 15[ENC] <tahi_ikev2_test|1> generating CREATE_CHILD_SA
response 2 [ N(INVAL_SYN) ]
Responder was expected to transmit a CREATE_CHILD_SA response 2 [
N(USE_TRANSP) SA No TSi TSr ]
Regards,
Kumuda G
On 09/17/2014 03:06 PM, kumuda wrote:
> Hi,
>
> Test is to verify if IKEv2 device(configured as initiator) ignores
> invalid payload types when the invalid type payload's
> critical bit is not set.
>
> Initial message exchange of IKE_SA_INIT and IKE_AUTH are successful.
> Waiting until lifetime of SA is expired and then
> CREATE_CHILD_SA request is sent from Initiator. Responder sends
> CREATE_CHILD_SA response with Unrecognized payload
> types(E payload's IKE Header Next Payload field is set to 1) and
> Critical bit is not set.
>
> IP Header
> | | Version = 6
> | | Source Address = 2001:db8:f:1::1
> | | Destination Address = 2001:db8:1:1::1
> | UDP Header
> | | Source Port = 500
> | | Destination Port = 500
> | Internet Security Association and Key Management Protocol Payload
> | | IKE Header
> | | | IKE_SA Initiator's SPI = 1a3f1895496c736a
> | | | IKE_SA Responder's SPI = dd83a7c8dc00d857
> | | | Next Payload = 46 (E)
> | | | Major Version = 2
> | | | Minor Version = 0
> | | | Exchange Type = 36 (CREATE_CHILD_SA)
> | | | Flags = 32 (0b00100000)
> | | | | Reserved (XX000000) = 0
> | | | | Response (00R00000) = 1
> | | | | Version (000V0000) = 0
> | | | | Initiator (0000I000) = 0
> | | | | Reserved (00000XXX) = 0
> | | | Message ID = 2 (0x2)
> | | | Length = 444 (0x1bc)
> | | | E Payload
> | | | | Next Payload = 1 (1)
> | | | | Critical = 0
> | | | | Reserved = 0
> | | | | Payload Length = 416 (0x1a0)
> | | | | Initialization Vector = a4ba9622a9657136
> | | | | Encrypted IKE Payloads
> | | | | | UNDEFINED Payload (type(1))
> | | | | | | Next Payload = 41 (N)
> | | | | | | Critical = 0
> | | | | | | Reserved = 0
> | | | | | | Payload Length = 4 (0x4)
> | | | | | N Payload
> | | | | | | Next Payload = 33 (SA)
> | | | | | | Critical = 0
> | | | | | | Reserved = 0
> | | | | | | Payload Length = 8 (0x8)
> | | | | | | Protocol ID = 0 (no relation)
> | | | | | | SPI Size = 0
> | | | | | | Notify Message Type = 16391 (USE_TRANSPORT_MODE)
>
>
> Parsing the response fails at the initiator side..
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 0 U_INT_8
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 41
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 1 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 2 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 3 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 4 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 5 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 6 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 7 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 8 RESERVED_BIT
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 0
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 9
> PAYLOAD_LENGTH
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 4
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 10 U_INT_32
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 553648136
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 11 U_INT_32
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> => 16391
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> parsing rule 12 (1258)
> Sep 16 03:51:54 12[ENC] <tahi_ikev2_test|1> could not decrypt payloads
> Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> message parsing failed
> Sep 16 03:51:54 12[IKE] <tahi_ikev2_test|1> CREATE_CHILD_SA response
> with message ID 2 processing failed
>
> Since the response parsing failed, session using the second negotiated
> algorithms are not established and tests fail.
>
>
> Regards,
> Kumuda G
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
More information about the Users
mailing list