[strongSwan] IKE_SA established despite no corresponding configuration.

Krishna G, Suhas (Nokia - IN/Bangalore) suhas.krishna_g at nokia.com
Thu Sep 24 08:57:07 CEST 2015 

Hi,


I am facing a peculiar issue in Strongswan-4.3.6. I have a connection setup something like:

                      Con1                                     Con2
Node1---------------------DUT-----------------------Node2
77.0.0.1-----------------77.0.0.2--------------------77.0.0.4

My ipsec configuration on DUT(Device Under Test) is as follows:

# ipsec.conf
# FlexiPlatform: IPsec configuration file

config setup
        charonstart=yes
        plutostart=no
        uniqueids=no
        charondebug="knl 0,enc 0,net 0"
conn %default
        auto=route
        keyexchange=ikev2
        reauth=no
ca r1~v1
        cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn r1~v1
        rekeymargin=70
        rekeyfuzz=100%
        left=77.0.0.2
        right=77.0.0.4
        leftsubnet=77.0.0.2/32
        rightsubnet=0.0.0.0/32
        leftprotoport=17/100
        rightprotoport=17/20
        authby=rsasig
        leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
        leftid=77.0.0.2
        rightid=%any
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=1000s
        keylife=700s
        mobike=no
        auto=route
        reauth=no
        encapdscp=yes
        vrfid=0

Note that I have no ipsec for Con1. Even so, if Node1 initiates an IKE_SA establishment, DUT obliges it and establishes IKE_SA.
IPSec Conf on Node1 is:

# ipsec.conf
# FlexiPlatform: IPsec configuration file

config setup
        charonstart=yes
        plutostart=no
        uniqueids=no
        charondebug="knl 0,enc 0,net 0"
conn %default
        auto=route
        keyexchange=ikev2
        reauth=no
ca r1~v1
        cacert="/etc/ipsec/certs/ipsec.d//cacerts/defaultCaCertificate.pem"
conn r1~v1
        rekeymargin=70
        rekeyfuzz=100%
        left=77.0.0.1
        right=77.0.0.2
        leftsubnet=77.0.0.1/32
        rightsubnet=0.0.0.0/32
        authby=rsasig
        leftcert="/etc/ipsec/certs/ipsec.d//certs/defaultCertificate.pem"
        leftid=77.0.0.1
        rightid=%any
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=1000s
        keylife=700s
        mobike=no
        auto=route
        reauth=no
        encapdscp=yes
        vrfid=0

IPSec status  for Node1(name: EIPU-0) and DUT(name: EIPU-1) are as below:

[root at EIPU-0(BCN126) /root]
# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.6):
  uptime: 6 hours, since Aug 31 09:26:49 2015
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sqlite attr-sql
Listening IP addresses:
  169.254.64.5
  169.254.0.6
  169.254.0.41
  77.0.0.1
  66.0.0.1
Connections:
       r1~v1:  77.0.0.1...77.0.0.2, vpn: (null)
       r1~v1:   local:  [C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>] uses public key authentication
       r1~v1:    cert:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
       r1~v1:   remote: [(vr*)%any] uses any authentication
       r1~v1:   child:  77.0.0.1/32 === 0.0.0.0/0
Routed Connections:
       r1~v1{1}:  ROUTED, TUNNEL
       r1~v1{1}:   77.0.0.1/32 === 0.0.0.0/0
Security Associations:
       r1~v1[5]: ESTABLISHED 77.0.0.1[C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com]...77.0.0.2[C=de<mailto:E=gianluigi.ongaro at nsn.com]...77.0.0.2[C=de>, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>]
       r1~v1[5]: IKE SPIs: a901f915e60cee17_i* 36facd6ae173128c_r Creation time: 3 minutes ago
, rekeying in 11 minutes
       r1~v1[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[root at EIPU-0(BCN126) /root]
# ip xfrm policy
0.0.0.0/0[0] 77.0.0.1/32[0]
        upspec 0 dev (none) uid 0
        in  allow index 0x00000198 priority 3000 share any flags 0x00000000
        tmpl-1:
          77.0.0.2 77.0.0.1
                esp spi 0(0x00000000) reqid 1 tunnel
                level required share any algo-mask:E=32, A=32, C=32
        fpid 0x00000014
        policy type main
77.0.0.1/32[0] 0.0.0.0/0[0]
        upspec 0 dev (none) uid 0
        out allow index 0x00000191 priority 2680 share any flags 0x00000000
        tmpl-1:
          77.0.0.1 77.0.0.2
                esp spi 0(0x00000000) reqid 1 tunnel
                level required share any algo-mask:E=32, A=32, C=32
        fpid 0x00000013
        policy type main

[root at EIPU-1(BCN126) /root]
# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.6):
  uptime: 29 minutes, since Aug 31 15:37:14 2015
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sqlite attr-sql
Listening IP addresses:
  169.254.64.6
  169.254.0.8
  169.254.0.40
  169.254.0.39
  77.0.0.2
  66.0.0.2
Connections:
       r1~v1:  77.0.0.2...77.0.0.4, vpn: (null)
       r1~v1:   local:  [C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>] uses public key authentication
       r1~v1:    cert:  "C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>"
       r1~v1:   remote: [(vr*)%any] uses any authentication
       r1~v1:   child:  77.0.0.2/32[udp/100] === 0.0.0.0/0[udp/ftp-data]
Routed Connections:
       r1~v1{1}:  ROUTED, TUNNEL
       r1~v1{1}:   77.0.0.2/32[udp/100] === 0.0.0.0/0[udp/ftp-data]
Security Associations:
       r1~v1[2]: ESTABLISHED 77.0.0.2[C=de, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com]...77.0.0.1[C=de<mailto:E=gianluigi.ongaro at nsn.com]...77.0.0.1[C=de>, ST=Bayern, L=Munich, O=Nokia Siemens Networks, OU=RTP, CN=ATCA_host, E=gianluigi.ongaro at nsn.com<mailto:E=gianluigi.ongaro at nsn.com>]
       r1~v1[2]: IKE SPIs: a901f915e60cee17_i 36facd6ae173128c_r* Creation time: 12 minutes ago
, rekeying in 3 minutes
       r1~v1[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[root at EIPU-1(BCN126) /root]
# ip xfrm policy
0.0.0.0/0[20] 77.0.0.2/32[100]
        upspec 17 dev (none) uid 0
        in  allow index 0x00000208 priority 2997 share any flags 0x00000000
        tmpl-1:
          77.0.0.4 77.0.0.2
                esp spi 0(0x00000000) reqid 1 tunnel
                level required share any algo-mask:E=32, A=32, C=32
        fpid 0x0000001a
        policy type main
77.0.0.2/32[100] 0.0.0.0/0[20]
        upspec 17 dev (none) uid 0
        out allow index 0x00000201 priority 2677 share any flags 0x00000000
        tmpl-1:
          77.0.0.2 77.0.0.4
                esp spi 0(0x00000000) reqid 1 tunnel
                level required share any algo-mask:E=32, A=32, C=32
        fpid 0x00000019
        policy type main



The root CA for Node1, DUT and Node2 are the same. Node1 has a valid certificate.

My suspicion is that "right" field in the ipsec.conf is never checked while establishing a connection. And since rightid=%any, IKE_SA is getting established. If I change rightid to specific IP address on the DUT, IKE_SA authentication fails and connection is not established.

Is this a bug in strongswan-4.3.6? This seems to be fixed in higher versions.

Regards
Suhas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150924/1df625f5/attachment-0001.html>

More information about the Users mailing list