[strongSwan] Help with understanding traffic selectors match

Enrico Cavalli enrico.cavalli at gmail.com
Thu Nov 30 17:45:40 CET 2017


Hello, 

I already posted to pfsense mailing list but maybe the issue is strongswan specific. 

On my side I have a pfsense 2.4.2 and on the other side a checkpoint firewall (I suppose latest available version) where the encryption domain
cannot be changed (so I'm told). 

I have one single network on my side and a bunch of networks on  the other side. 

Sometimes i end with multiple CHILD_SA for the same network (10.128.200.0/24 in the example) and basically connections with this network stop working.

I think I found a solution but I'm trying to understand better the reasoning behind. 

This is the situation where 10.128.200.0/24 does not work;

Security Associations (1 up, 0 connecting):
    con1000[37]: ESTABLISHED 27 minutes ago, A.B.C.D[A.B.C.D]...X.Y.Z.W[X.Y.Z.W]
    con1000{181}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf75c2be_i f6da2a6b_o
    con1000{181}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{182}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ca07fa2a_i b78a80ad_o
    con1001{182}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0
    con1002{183}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cf85518c_i 6b4605e6_o
    con1002{183}:   172.16.199.0/24|/0 === 10.15.1.0/24|/0
    con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i a7e330d0_o
    con1000{184}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{185}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c4d1b604_i 91a8d9d5_o
    con1001{185}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0

where tunnel  con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i a7e330d0_o

prevents traffic between my 172.16.199.0/24 and remote 10.128.200.0/24

This is the log relative to this CHILD_SA

Nov 29 10:57:33 iulm03 charon: 15[NET] <con1000|37> received packet: from X.Y.Z.W[500] to A.B.C.D[500] (236 bytes)
Nov 29 10:57:33 iulm03 charon: 15[ENC] <con1000|37> parsed CREATE_CHILD_SA request 0 [ SA No TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 29 10:57:33 iulm03 charon: 15[IKE] <con1000|37> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> looking for a child config for 172.16.199.98/32|/0[tcp/http] 172.16.199.0/24|/0 === 10.128.132.198/32|/0[tcp/49179] 10.128.0.0/16|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1000" with prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  192.168.3.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.15.1.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.210.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1003" with prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.30.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1004" with prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> found matching child config "con1000" with prio 8
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting proposal:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   proposal matches
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 172.16.199.0/24|/0, received: 172.16.199.98/32|/0[tcp/http] => match: 172.16.199.98/32|/0[tcp/http]
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 172.16.199.0/24|/0, received: 172.16.199.0/24|/0 => match: 172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 10.128.200.0/24|/0, received: 10.128.132.198/32|/0[tcp/49179] => no match
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 10.128.200.0/24|/0, received: 10.128.0.0/16|/0 => match: 10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> CHILD_SA con1000{184} state change: CREATED => INSTALLING


I suppose that since 10.128.0.0/16 is larger, charon tries to find a match. It then picks up the first "best" match and creates the unwanted CHILD_SA.

Is this correct and expected behavior?

To solve this issue (which I do not completely understand) I added another configuration to create a CHILD_SA to 10.128.0.0/16

The result is that unwanted double CHILD_SA to same destination is not created anymore and this is good for me - everything works as expected.


BUT - and this does not help my understanding

- if I initiate a connection from 172.16.199.0/24 to 10.128.0.0/16 CHILD_SA goes UP --> OK 
- BUT if now the remote side initiates a connection in all aspect similar to the one mentioned before
looking for a child config for 172.16.199.98/32|/0[tcp/http] 172.16.199.0/24|/0 === 10.128.132.198/32|/0[tcp/49179] 10.128.0.0/16|/0

charon says that traffic selectors are wrong (sorry but at the moment I  do not have a log for this case) .

Why this happens.

Thank you very much for any help or pointers to the right documentation.

Enrico.



-- 
Enrico Cavalli - enrico.cavalli at gmail.com
jabber: enrico.cavalli at gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94  8ADE BC4B 43A7 0485 30E5



More information about the Users mailing list