[strongSwan] IKEv2: traffic selector are improperly generated

Thomas Egerer hakke_007 at gmx.de
Fri Sep 26 14:15:56 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kumuda,

On 09/26/2014 01:55 PM, kumuda wrote:
> Hi,
> 
> Have configured IKEv2 device as initiator to verify initial exchanges from End-point to Security Gateway.
> 
> ipsec.conf has below parameters set:
> 
>> type=tunnel left=2001:0db8:0001:0001::1 # Remote address right=2001:0db8:000f:0001::1 # Authentication method leftauth=psk rightauth=psk 
>> leftid=2001:0db8:0001:0001::1 rightid=2001:0db8:000f:0001::1 # Remote subnet rightsubnet=2001:0db8:000f:0002::/64

Did you try adding 'leftsubnet=2001:0db8:000f:0001::1/128'?

> -bash-4.2# /usr/sbin/strongswan start Starting strongSwan 5.2.0 IPsec [starter]... -bash-4.2# ip xfrm policy list src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128 dir
> fwd priority 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 proto esp reqid 1 mode tunnel src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128 dir in priority
> 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 proto esp reqid 1 mode tunnel src 2001:db8:1:1::1/128 dst 2001:db8:f:2::/64 dir out priority 5379 ptype
> main tmpl src 2001:db8:1:1::1 dst 2001:db8:f:1::1 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0
>  socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0
> dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket
> out priority 0 ptype main
> 
> 
> IKE_SA_INIT exchange is successful and IKE_AUTH request is sent by the end-point. Two traffic selectors are generated and the 2nd traffic selector has the complete 
> IPv6 addresses as its range.
> 
> Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating payload of type TRAFFIC_SELECTOR_SUBSTRUCTURE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 0 
> TS_TYPE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 8 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 1 U_INT_8 Sep 26 03:26:12 03[ENC] 
> <tahi_ikev2_test|1>    => 0 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 2 PAYLOAD_LENGTH Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 
> 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 28                                            .( Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> 
> generating rule 3 U_INT_16 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 .. Sep 26
> 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 4 U_INT_16 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC]
> <tahi_ikev2_test|1>    0: FF FF                                            .. /Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 5 ADDRESS// //Sep 26
> 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 0x7f40bc005080// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 6 ADDRESS// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 
> 0x7f40bc0050a0// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................/
> 
> Before IKE_SA is created, charon.log shows the available traffic selectors: Sep 26 03:25:53 11[CFG] received stroke: route 'tahi_ikev2_test' Sep 26 03:25:53 11[CFG] 
> proposing traffic selectors for us: Sep 26 03:25:53 11[CFG]  2001:db8:1:1::1/128 Sep 26 03:25:53 11[CFG] proposing traffic selectors for other: Sep 26 03:25:53
> 11[CFG] 2001:db8:f:2::/64 Sep 26 03:25:53 11[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 
> just after reinitiating IKE_AUTH task, proposed traffic shows ::/0 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors for us: Sep 26 03:26:12 
> 03[CFG] <tahi_ikev2_test|1>  ::/0 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors for other: Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> 
> 2001:db8:f:2::/64 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 
> Why is it proposing ::/0 instead of 2001:db8:1:1::1/128?
> 
> Regards, Kumuda G
> 
> 
> _______________________________________________ Users mailing list Users at lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlQlWPwACgkQ2/ggQBUI/snO6ACdGEbbCHRK1ymuoBoyoYA6z8WE
3pEAn0AG6FoU6UpQS9p600X3Y/bbl64h
=m5xZ
-----END PGP SIGNATURE-----


More information about the Users mailing list