[strongSwan] IKEv2: traffic selector are improperly generated

kumuda kumuda at linux.vnet.ibm.com
Mon Sep 29 08:12:47 CEST 2014


On 09/26/2014 05:45 PM, Thomas Egerer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Kumuda,
>
> On 09/26/2014 01:55 PM, kumuda wrote:
>> Hi,
>>
>> Have configured IKEv2 device as initiator to verify initial exchanges from End-point to Security Gateway.
>>
>> ipsec.conf has below parameters set:
>>
>>> type=tunnel left=2001:0db8:0001:0001::1 # Remote address right=2001:0db8:000f:0001::1 # Authentication method leftauth=psk rightauth=psk
>>> leftid=2001:0db8:0001:0001::1 rightid=2001:0db8:000f:0001::1 # Remote subnet rightsubnet=2001:0db8:000f:0002::/64
> Did you try adding 'leftsubnet=2001:0db8:000f:0001::1/128'?
Thomas,

With leftsubnet, IKE_SA_INIT request is not generated on the initiator.

Regards,
Kumuda G
>> -bash-4.2# /usr/sbin/strongswan start Starting strongSwan 5.2.0 IPsec [starter]... -bash-4.2# ip xfrm policy list src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128 dir
>> fwd priority 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 proto esp reqid 1 mode tunnel src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128 dir in priority
>> 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 proto esp reqid 1 mode tunnel src 2001:db8:1:1::1/128 dst 2001:db8:f:2::/64 dir out priority 5379 ptype
>> main tmpl src 2001:db8:1:1::1 dst 2001:db8:f:1::1 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0
>>   socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0
>> dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket
>> out priority 0 ptype main
>>
>>
>> IKE_SA_INIT exchange is successful and IKE_AUTH request is sent by the end-point. Two traffic selectors are generated and the 2nd traffic selector has the complete
>> IPv6 addresses as its range.
>>
>> Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating payload of type TRAFFIC_SELECTOR_SUBSTRUCTURE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 0
>> TS_TYPE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 8 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 1 U_INT_8 Sep 26 03:26:12 03[ENC]
>> <tahi_ikev2_test|1>    => 0 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 2 PAYLOAD_LENGTH Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @
>> 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 28                                            .( Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>
>> generating rule 3 U_INT_16 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 .. Sep 26
>> 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 4 U_INT_16 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC]
>> <tahi_ikev2_test|1>    0: FF FF                                            .. /Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 5 ADDRESS// //Sep 26
>> 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 0x7f40bc005080// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 00  ................// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 6 ADDRESS// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @
>> 0x7f40bc0050a0// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................/
>>
>> Before IKE_SA is created, charon.log shows the available traffic selectors: Sep 26 03:25:53 11[CFG] received stroke: route 'tahi_ikev2_test' Sep 26 03:25:53 11[CFG]
>> proposing traffic selectors for us: Sep 26 03:25:53 11[CFG]  2001:db8:1:1::1/128 Sep 26 03:25:53 11[CFG] proposing traffic selectors for other: Sep 26 03:25:53
>> 11[CFG] 2001:db8:f:2::/64 Sep 26 03:25:53 11[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>
>> just after reinitiating IKE_AUTH task, proposed traffic shows ::/0 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors for us: Sep 26 03:26:12
>> 03[CFG] <tahi_ikev2_test|1>  ::/0 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors for other: Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1>
>> 2001:db8:f:2::/64 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>
>> Why is it proposing ::/0 instead of 2001:db8:1:1::1/128?
>>
>> Regards, Kumuda G
>>
>>
>> _______________________________________________ Users mailing list Users at lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlQlWPwACgkQ2/ggQBUI/snO6ACdGEbbCHRK1ymuoBoyoYA6z8WE
> 3pEAn0AG6FoU6UpQS9p600X3Y/bbl64h
> =m5xZ
> -----END PGP SIGNATURE-----
>
>
>



More information about the Users mailing list