[strongSwan] IKEv2: traffic selector are improperly generated
kumuda
kumuda at linux.vnet.ibm.com
Fri Sep 26 13:55:15 CEST 2014
Hi,
Have configured IKEv2 device as initiator to verify initial exchanges
from End-point to Security Gateway.
ipsec.conf has below parameters set:
> type=tunnel
> left=2001:0db8:0001:0001::1
> # Remote address
> right=2001:0db8:000f:0001::1
> # Authentication method
> leftauth=psk
> rightauth=psk
> leftid=2001:0db8:0001:0001::1
> rightid=2001:0db8:000f:0001::1
> # Remote subnet
> rightsubnet=2001:0db8:000f:0002::/64
-bash-4.2# /usr/sbin/strongswan start
Starting strongSwan 5.2.0 IPsec [starter]...
-bash-4.2# ip xfrm policy list
src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128
dir fwd priority 5379 ptype main
tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1
proto esp reqid 1 mode tunnel
src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128
dir in priority 5379 ptype main
tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1
proto esp reqid 1 mode tunnel
src 2001:db8:1:1::1/128 dst 2001:db8:f:2::/64
dir out priority 5379 ptype main
tmpl src 2001:db8:1:1::1 dst 2001:db8:f:1::1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
IKE_SA_INIT exchange is successful and IKE_AUTH request is sent by the
end-point.
Two traffic selectors are generated and the 2nd traffic selector has the
complete IPv6 addresses as its range.
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating payload of type
TRAFFIC_SELECTOR_SUBSTRUCTURE
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 0 TS_TYPE
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 8
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 1 U_INT_8
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 0
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 2 PAYLOAD_LENGTH
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 0: 00
28 .(
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 3 U_INT_16
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 0: 00
00 ..
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 4 U_INT_16
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 2 bytes @ 0x7f40dc1e9744
Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 0: FF
FF ..
/Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 5 ADDRESS//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 16 bytes @
0x7f40bc005080//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 0: 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 ................//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating rule 6 ADDRESS//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> => 16 bytes @
0x7f40bc0050a0//
//Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 0: FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF ................/
Before IKE_SA is created, charon.log shows the available traffic selectors:
Sep 26 03:25:53 11[CFG] received stroke: route 'tahi_ikev2_test'
Sep 26 03:25:53 11[CFG] proposing traffic selectors for us:
Sep 26 03:25:53 11[CFG] 2001:db8:1:1::1/128
Sep 26 03:25:53 11[CFG] proposing traffic selectors for other:
Sep 26 03:25:53 11[CFG] 2001:db8:f:2::/64
Sep 26 03:25:53 11[CFG] configured proposals:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
just after reinitiating IKE_AUTH task, proposed traffic shows ::/0
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors
for us:
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> ::/0
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors
for other:
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> 2001:db8:f:2::/64
Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> configured proposals:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Why is it proposing ::/0 instead of 2001:db8:1:1::1/128?
Regards,
Kumuda G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140926/273839b5/attachment.html>
More information about the Users
mailing list