[strongSwan] using 500/tcp
Harald Dunkel
harald.dunkel at aixigo.de
Wed Jul 20 16:03:25 CEST 2016
Hi Tobias,
On 07/18/16 11:53, Tobias Brunner wrote:
> Hi Harald,
>
>> Problem: The mtu of this tunnel is less than 1500. On the
>> first run IKEv2 on my Mac fails with icmp6 "Packet Too Big".
>> Since the protocol is udp there is no packet to fragment and
>> resend, which means a 10 seconds delay until a higher network
>> layer wakes up and tries to authenticate again. Then it works.
>
> Are you saying the first packet (IKE_SA_INIT) is already bigger than
> your MTU? Any IKE message sent later should be fragmented if you enable
> IKE fragmentation. And retransmits of the IKE_SA_INIT message should
> also be fragmented, I guess, if an ICMP was returned (unless the route
> cache or wherever Mac OS X stores the PMTU is not immediately updated).
>
Here is the log file created on my Mac
:
Jul 9 09:38:32.486749 ppcm018 neagent[734] <Debug>: 571153443E0512FD Sending request:
IKEv2 Packet
Initiator SPI: 571153443E0512FD
Responder SPI: 0
Exchange Type: IKE SA Init
Response: No
Initiator: Yes
Message ID: 0
Security Association Payload:
IKE SPI: 0
(
{
DHGroup = (
14
);
EncryptionAlgorithm = (
"AES-256"
);
IntegrityAlgorithm = (
"SHA2-256"
);
PRFAlgorithm = (
"SHA2-256"
);
}
)
Key Exchange Payload:
DH Group: 14
Key: <CFData 0x7fd2b96056a0 [0x7fff7bcdd440]>{length = 256, capacity = 256, bytes = 0x1ed3ab4ecde3fb49d6ad8d5308f1fb7c ... 912820d1cc6ac7aa}
Nonce Payload:
<CFData 0x7fd2b96059b0 [0x7fff7bcdd440]>{length = 16, capacity = 16, bytes = 0x2f678310fc3ad22d0fb82f01e6661dce}
Notify (Redirect Supported) Payload:
No Data
Notify (NAT Detection Source IP) Payload:
Data: <CFData 0x7fd2b9605740 [0x7fff7bcdd440]>{length = 20, capacity = 20, bytes = 0xb1564ba77626b73857f19b4351ec386fe8729213}
Notify (NAT Detection Destination IP) Payload:
Data: <CFData 0x7fd2b9605730 [0x7fff7bcdd440]>{length = 20, capacity = 20, bytes = 0x123681d70fa793b423245fa4e8747f30dcfe11ad}
Notify (IKEv2 Fragmentation Supported) Payload:
No Data
Jul 9 09:38:32.486917 ppcm018 neagent[734] <Debug>: Sending IKE Packet : REQ: 571153443E0512FD msg id 0 on <ikev2_socket 0x7fd2b9413d40> 2001:db8:0:1:3dfa:f382:2017:d7f7:500 -> 2001:db8:0:2::63:500
Jul 9 09:38:32.532860 ppcm018 neagent[734] <Debug>: Receiving IKE Packet: REP: 571153443E0512FD msg id 0 (i 571153443e0512fd r 67DE3073331D6047) (inQueue no) (IKE SA Init)
Jul 9 09:38:32.533378 ppcm018 neagent[734] <Debug>: 571153443E0512FD Received packet:
IKEv2 Packet
Initiator SPI: 571153443E0512FD
Responder SPI: 67DE3073331D6047
Exchange Type: IKE SA Init
Response: Yes
Initiator: No
Message ID: 0
Security Association Payload:
IKE SPI: 0
(
{
DHGroup = (
14
);
EncryptionAlgorithm = (
"AES-256"
);
IntegrityAlgorithm = (
"SHA2-256"
);
PRFAlgorithm = (
"SHA2-256"
);
}
)
Key Exchange Payload:
DH Group: 14
Key: <CFData 0x7fd2b9415af0 [0x7fff7bcdd440]>{length = 256, capacity = 256, bytes = 0x50fa2bd784d9c6e96e69d2733c02af5e ... ce77c71ce0e6579b}
Nonce Payload:
<CFData 0x7fd2b9414c80 [0x7fff7bcdd440]>{length = 32, capacity = 32, bytes = 0x450f7c21edd25fefaa99bebc0b01e2ee ... 8a3e9dce752ec28c}
Notify (NAT Detection Source IP) Payload:
Data: <CFData 0x7fd2b9415780 [0x7fff7bcdd440]>{length = 20, capacity = 20, bytes = 0x9ccb11d588aeff2215aa635924e0f1809b8d7b97}
Notify (NAT Detection Destination IP) Payload:
Data: <CFData 0x7fd2b9415770 [0x7fff7bcdd440]>{length = 20, capacity = 20, bytes = 0x5ea3557548ed073d0c43e166dfb6c17529b7a199}
Certificate Request Payload:
Encoding: X.509 Certificate Signature
Data: <CFData 0x7fd2b9415770 [0x7fff7bcdd440]>{length = 60, capacity = 60, bytes = 0x81ac7e33e363d83b98388de0080e817b ... 041d1fa66191860e}
Vendor Payload:
<CFData 0x7fd2b94155b0 [0x7fff7bcdd440]>{length = 16, capacity = 16, bytes = 0x882fe56d6fd20dbc2251613b2ebe5beb}
Jul 9 09:38:32.534995 ppcm018 neagent[734] <Debug>: ikev2_socket: Created socket <ikev2_socket 0x7fd2b9605660> 2001:db8:0:1:3dfa:f382:2017:d7f7:4500 -> 2001:db8:0:2::63:4500 on interface en0 with local address
Jul 9 09:38:32.535137 ppcm018 neagent[734] <Debug>: ikev2_socket: Adding client 92F5ACFE-4330-4B5D-B11B-94798A4D27BC for <ikev2_socket 0x7fd2b9605660> 2001:db8:0:1:3dfa:f382:2017:d7f7:4500 -> 2001:db8:0:2::63:4500
Jul 9 09:38:32.535250 ppcm018 neagent[734] <Debug>: Compute MODP DH result
Jul 9 09:38:32.577911 ppcm018 neagent[734] <Debug>: ikev2_crypto_raw_sign: signedHashBytesSize 256
Jul 9 09:38:32.605062 ppcm018 neagent[734] <Debug>: 571153443E0512FD Sending request:
IKEv2 Packet
Initiator SPI: 571153443E0512FD
Responder SPI: 67DE3073331D6047
Exchange Type: IKE Auth
Response: No
Initiator: Yes
Message ID: 1
Initiator Identity Payload:
Type: IDFQDN
Value: ppcm018.ws.example.com
Notify (Initial Contact) Payload:
No Data
Notify (MOBIKE Supported) Payload:
No Data
Responder Identity Payload:
Type: IDFQDN
Value: stargate.example.com
Authentication Payload:
Method: Certificate
Data: <CFData 0x7fd2b953f130 [0x7fff7bcdd440]>{length = 256, capacity = 256, bytes = 0x8629d3216c77536b1f492cd5ffac3dba ... d680a5f9bbf35876}
Certificate Payload:
Encoding: X.509 Certificate Signature
Data: <CFData 0x7fd2ba009a00 [0x7fff7bcdd440]>{length = 1819, capacity = 1819, bytes = 0x30820717308204ffa003020102021311 ... d4cccc6c33765d87}
Configuration Payload:
Message Type: Request
Configuration: (
{
Identifier = 1;
Name = AssignedIPv4Address;
},
{
Identifier = 6;
Name = AssignedIPv4DHCP;
},
{
Identifier = 3;
Name = AssignedIPv4DNS;
},
{
Identifier = 2;
Name = AssignedIPv4NetMask;
},
{
Identifier = 8;
Name = AssignedIPv6Address;
},
{
Identifier = 12;
Name = AssignedIPv6DHCP;
},
{
Identifier = 10;
Name = AssignedIPv6DNS;
}
)
Notify (ESP TFC Padding Not Supported) Payload:
No Data
Notify (Non First Fragments Also) Payload:
No Data
Security Association Payload:
IKE SPI: 0
(
{
ChildProtocol = ESP;
EncryptionAlgorithm = (
"AES-256"
);
IntegrityAlgorithm = (
"SHA2-256"
);
SPIValue = "-1182200305";
}
)
Initiator Traffic Selector Payload:
(
{
TSEndAddress = "255.255.255.255";
TSEndPort = 65535;
TSProtocol = 0;
TSStartAddress = "0.0.0.0";
TSStartPort = 0;
TSType = IPv4;
},
{
TSEndAddress = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff";
TSEndPort = 65535;
TSProtocol = 0;
TSStartAddress = "::";
TSStartPort = 0;
TSType = IPv6;
}
)
Responder Traffic Selector Payload:
(
{
TSEndAddress = "255.255.255.255";
TSEndPort = 65535;
TSProtocol = 0;
TSStartAddress = "0.0.0.0";
TSStartPort = 0;
TSType = IPv4;
},
{
TSEndAddress = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff";
TSEndPort = 65535;
TSProtocol = 0;
TSStartAddress = "::";
TSStartPort = 0;
TSType = IPv6;
}
)
Jul 9 09:38:32.605201 ppcm018 neagent[734] <Debug>: Sending IKE Packet : REQ: 571153443E0512FD msg id 1 on <ikev2_socket 0x7fd2b9605660> 2001:db8:0:1:3dfa:f382:2017:d7f7:4500 -> 2001:db8:0:2::63:4500
Jul 9 09:38:32.607523 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:32.607664 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:32.607738 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:32.607844 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
:
:
Jul 9 09:38:35.558814 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:35.558865 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:35.558915 ppcm018 neagent[734] <Error>: Failed to receive isakmp packet: Message too long
Jul 9 09:38:35.558964 ppcm018 neagent[734] <Critical>: *** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***
Jul 9 09:38:44.624454 ppcm018 neagent[734] <Error>: Failed to receive IKE Auth packet
Jul 9 09:38:44.625079 ppcm018 CommCenter[434] <Debug>: Received PFKey Message that could not be matched (type 4).
Jul 9 09:38:44.625142 ppcm018 neagent[734] <Debug>: Received PFKey Message associated with DB (type 4)
Jul 9 09:38:44.625544 ppcm018 neagent[734] <Info>: ikev2_callback: Received notification for ikeRef B9413680 ChildRef 0
Jul 9 09:38:44.625652 ppcm018 neagent[734] <Info>: IKEv2 Plugin: received notif IKE Status: Disconnected
Jul 9 09:38:44.625993 ppcm018 neagent[734] <Info>: ikev2_callback: set status Disconnected
Jul 9 09:38:44.626229 ppcm018 neagent[734] <Info>: Sending status update with status 0 and disconnect error 0
Obviously it is *4500/udp* (my error). Of course I understand that it
would be more difficult to replace it with tcp.
>> Looking at this I wonder if it is reasonable to ignore 500/tcp
>> for Strongswan?
>
> Until [1] is standardized this won't change (it also requires kernel
> changes for ESP in TCP encapsulation).
>
Understood. Not to mention that the peer (MacOS) has to support
it as well.
I just wonder if you have any recommendations to avoid this delay?
In the sample above the delay was just 3 seconds, but sometimes its
10 seconds or more.
Once the MTU is known the IKEv2 negotiations work very well. I tried
to ping6 the peer with -s 1500 before initiating the IPsec connection,
but this did not help.
Thanx very much for your help and patience.
Harri
More information about the Users
mailing list