[strongSwan] Stronswan to ignore IKE-SA-INIT response from a bogus IPv6 address

rajeev nohria rajnohria at gmail.com
Tue May 22 19:48:38 CEST 2018


 For following scenario, is it Strongswan bug?  Responder IP address is
*fc00:cada:c406::200. *But if reply come from even different IPv6 address
everything goes successful like nothing is wrong.   In following case
IKE_SA_INIT
response came from  *fc00:cada:c406::500.  *I would imagine it should be
rejected.


9[KNL] creating acquire job for policy fc00:cada:c406:607::1001/128[tcp/57861]
=== fc00:cada:c406::200/128[tcp/8190] with reqid {2}
07[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to fc00:cada:c406::200
07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
07[NET] sending packet: from fc00:cada:c406:607::1001[500] to
*fc00:cada:c406::200*[500] (456 bytes)
08[NET] received packet: from *fc00:cada:c406::500*[500] to
fc00:cada:c406:607::1001[500] (453 bytes)
08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
08[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
08[IKE] received 1 cert requests for an unknown ca
08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
08[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root CA01,
CN=TEST CableLabs Root Certification Authority"
08[IKE] authentication of 'C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad' (myself) with RSA signature successful
08[IKE] sending end entity cert "C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad"
08[IKE] sending issuer cert "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
08[IKE] establishing CHILD_SA gcpfc00:cada:c406::200{2}
08[ENC] generating IKE_AUTH request 1 [ IDi CERT CERT CERTREQ AUTH
N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
08[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (3200 bytes)
15[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (7280 bytes)
15[ENC] parsed IKE_AUTH response 1 [ N(ESP_TFC_PAD_N) N(USE_TRANSP) IDr
CERT CERT CERT CERT CERT AUTH SA TSi TSr ]
15[IKE] received end entity cert "C=US, O=CableLabs, CN=00:01:5c:96:16:00"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA01,
CN=CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=Device CA02,
CN=CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Device CA01,
CN=TEST CableLabs Device Certification Authority"
15[IKE] received issuer cert "C=US, O=CableLabs, OU=TEST Service Provider
CA01, CN=TEST CableLabs Service Provider Certification Authority"
15[CFG]   using certificate "C=US, O=CableLabs, CN=00:01:5c:96:16:00"
15[CFG]   using untrusted intermediate certificate "C=US, O=CableLabs,
OU=TEST Service Provider CA01, CN=TEST CableLabs Service Provider
Certification Authority"
15[CFG] checking certificate status of "C=US, O=CableLabs,
CN=00:01:5c:96:16:00"
15[CFG] certificate status is not available
15[CFG]   using trusted ca certificate "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
15[CFG] checking certificate status of "C=US, O=CableLabs, OU=TEST Service
Provider CA01, CN=TEST CableLabs Service Provider Certification Authority"
15[CFG] certificate status is not available
15[CFG]   reached self-signed root ca with a path length of 1
15[IKE] authentication of 'C=US, O=CableLabs, CN=00:01:5c:96:16:00' with
RSA signature successful
15[IKE] IKE_SA rpdfc00:cada:c406::200[1] established between
fc00:cada:c406:607::1001[C=US, O=ARRIS Group, OU=DCA Remote Device
Certificate, CN=00:01:5c:b0:04:ad]...fc00:cada:c406::200[C=US, O=CableLabs,
CN=00:01:5c:96:16:00]
15[IKE] scheduling rekeying in 13604s
15[IKE] maximum IKE_SA lifetime 15044s


On Tue, May 22, 2018 at 9:08 AM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Rajeev,
>
> > Is there way to Stronswan to ignore IKE-SA-INIT response from a bogus
> > IPv6 address? Strongswan replies to all the IKE-SA-INIT receive from all
> > IP addresses.
>
> Use iptables.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180522/7312d141/attachment.html>


More information about the Users mailing list