[strongSwan] IKEv2: traffic selector are improperly generated

kumuda kumuda at linux.vnet.ibm.com
Fri Sep 26 13:55:15 CEST 2014 

Hi,

Have configured IKEv2 device as initiator to verify initial exchanges 
from End-point to Security Gateway.

ipsec.conf has below parameters set:

>         type=tunnel
>         left=2001:0db8:0001:0001::1
>         # Remote address
>         right=2001:0db8:000f:0001::1
>         # Authentication method
>         leftauth=psk
>         rightauth=psk
>         leftid=2001:0db8:0001:0001::1
>         rightid=2001:0db8:000f:0001::1
>         # Remote subnet
>         rightsubnet=2001:0db8:000f:0002::/64

-bash-4.2# /usr/sbin/strongswan start
Starting strongSwan 5.2.0 IPsec [starter]...
-bash-4.2# ip xfrm policy list
src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128
	dir fwd priority 5379 ptype main
	tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1
		proto esp reqid 1 mode tunnel
src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128
	dir in priority 5379 ptype main
	tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1
		proto esp reqid 1 mode tunnel
src 2001:db8:1:1::1/128 dst 2001:db8:f:2::/64
	dir out priority 5379 ptype main
	tmpl src 2001:db8:1:1::1 dst 2001:db8:f:1::1
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main


IKE_SA_INIT exchange is successful and IKE_AUTH request is sent by the 
end-point.
Two traffic selectors are generated and the 2nd traffic selector has the 
complete IPv6 addresses as its range.

Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating payload of type 
TRAFFIC_SELECTOR_SUBSTRUCTURE
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 0 TS_TYPE
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 8
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 1 U_INT_8
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 0
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 2 PAYLOAD_LENGTH
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 
28                                            .(
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 3 U_INT_16
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 
00                                            ..
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 4 U_INT_16
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: FF 
FF                                            ..
/Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 5 ADDRESS//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 
0x7f40bc005080//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00  ................//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 6 ADDRESS//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 
0x7f40bc0050a0//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF  ................/

Before IKE_SA is created, charon.log shows the available traffic selectors:
Sep 26 03:25:53 11[CFG] received stroke: route 'tahi_ikev2_test'
Sep 26 03:25:53 11[CFG] proposing traffic selectors for us:
Sep 26 03:25:53 11[CFG]  2001:db8:1:1::1/128
Sep 26 03:25:53 11[CFG] proposing traffic selectors for other:
Sep 26 03:25:53 11[CFG]  2001:db8:f:2::/64
Sep 26 03:25:53 11[CFG] configured proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

just after reinitiating IKE_AUTH task, proposed traffic shows ::/0
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors 
for us:
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1>  ::/0
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors 
for other:
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> 2001:db8:f:2::/64
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> configured proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

Why is it proposing ::/0 instead of 2001:db8:1:1::1/128?

Regards,
Kumuda G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140926/273839b5/attachment.html>

More information about the Users mailing list