Bug #107

Unencrypted L2TP packets

Added by Terje Rosenlund almost 2 years ago. Updated 8 months ago.

Status:New Start date:15.02.2010
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:-
Target version:-
Affected version:4.5.2

Description

Client: XP-Pro, L2TP IPSec VPN
Server: Linux strongSwan U4.3.6rc2/K2.6.27.25-78.2.56.fc9.i686
Xl2tpd: version xl2tpd-1.2.4 (1.2.5 gives same result)

Both server and client are behind nat

  • IPSec tunnel is established but xl2tpd fails (packets sent uncrypted)
  • Wireshark on server shows l2tp packets from client encapsulated in ESP sendt true port 4500 udp to server
  • Server replies width unencrypted l2tp packets sendt true port 1701 udp
  • Marking and counting packets in iptables seems to confirm this (POSTROUTING - 7 packets out on udp dpt:l2tp)

I can't se how this could be caused by my configuration and suspects this to be a bug

My iptables contains:

mangle table:
-A PREROUTING -i eth0 -p udp --dport isakmp -j MARK --set-xmark 0x1/0xffffffff
    -A PREROUTING -i eth0 -p udp --dport ipsec-nat-t -j MARK --set-xmark 0x2/0xffffffff
    -A PREROUTING -i eth0 -p udp -m mark --mark 0x2 --dport l2tp -j MARK --set-xmark 0x3/0xffffffff
    -A POSTROUTING -p udp --dport l2tp -j ACCEPT
filter table:
-N IPSEC_IN
    -F IPSEC_IN
    -A IPSEC_IN -m mark --mark 0x1 -j ACCEPT
    -A IPSEC_IN -m mark --mark 0x2 -j ACCEPT
    -A IPSEC_IN -m mark --mark 0x3 -j ACCEPT
    -A IPSEC_IN -i eth0 -p udp --dport l2tp -j DROP
    -A INPUT -j IPSEC_IN

Trying to log in, checking counters:

iptables -L -v -t mangle
Chain PREROUTING (policy ACCEPT 466 packets, 45299 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        2   728 MARK       udp  --  eth0   any     anywhere             anywhere            udp dpt:isakmp MARK xset 0x1/0xffffffff 
        9  1385 MARK       udp  --  eth0   any     anywhere             anywhere            udp dpt:ipsec-nat-t MARK xset 0x2/0xffffffff 
        3   396 MARK       udp  --  eth0   any     anywhere             anywhere            mark match 0x2 udp dpt:l2tp MARK xset 0x3/0xffffffff
Chain INPUT (policy ACCEPT 466 packets, 45299 bytes)
     pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 557 packets, 160K bytes)
     pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 550 packets, 159K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        7   730 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:l2tp
iptables -L -v
Chain OUTPUT (policy ACCEPT 1390 packets, 259K bytes)
     pkts bytes target     prot opt in     out     source               destination         
        7   730 ACCEPT     udp  --  any    any     tr.home              anywhere            udp spt:l2tp 
        2   548 ACCEPT     udp  --  any    any     tr.home              anywhere            udp spt:isakmp 
        4   520 ACCEPT     udp  --  any    any     tr.home              anywhere            udp spt:ipsec-nat-t
Chain IPSEC_IN (1 references)
     pkts bytes target     prot opt in     out     source               destination         
        2   728 ACCEPT     all  --  any    any     anywhere             anywhere            mark match 0x1 
       17  1617 ACCEPT     all  --  any    any     anywhere             anywhere            mark match 0x2 
        3   396 ACCEPT     all  --  any    any     anywhere             anywhere            mark match 0x3 
        0     0 DROP       udp  --  eth0   any     anywhere             anywhere            udp dpt:l2tp

strongswan.log (8.5 kB) Terje Rosenlund, 15.02.2010 22:37

strongswan2.log (12.1 kB) Terje Rosenlund, 16.02.2010 09:57

strongswan3.log (74.3 kB) Terje Rosenlund, 17.02.2010 11:35

strongswan4.log (6.3 kB) Terje Rosenlund, 18.02.2010 16:03

strongswan5.log (10.3 kB) Terje Rosenlund, 26.02.2010 11:07

History

#1
Updated by Andreas Steffen almost 2 years ago

It would help if you would

1) set iptables input/output policy on the server to drop and add the udp port 500/4500 rules as in our example NAT scenario
http://www.strongswan.org/uml/testresults43/ikev2/nat-one-rw/sun.iptables

2) post the output of the command ip xfrm policy and ip xfrm state on the server

3) post the output of ipsec statusall on the server

and all this after you tried to transmit a couple of packets via L2TP

Regards

Andreas

#2
Updated by Terje Rosenlund almost 2 years ago

Requested output attached in strongswan.log

Observe count = 0 for input rule created by strongswan for l2tp packets
(count = 3 in IPSEC_IN chain (using mark 3))

Same for rules in FORWARD and OUTPUT chains where 'leftsourceip' is used as source/destination ip

My vpn.conf includes 'nat_traversal=yes'

Seems to mee that 'left' should be used instead of 'leftsourceip' when 'nat_traversal=yes' (?)

#3
Updated by Andreas Steffen almost 2 years ago

In ip xfrm policy the outbound policy is missing. Therefore it is not surprise that your output packets are in the clear. Are there any error messages in the log while installing the outbound policy? Actually you shouldn't use IPsec transport mode in the presence of NAT anyway.

#4
Updated by Terje Rosenlund almost 2 years ago

Andreas Steffen wrote:

In ip xfrm policy the outbound policy is missing. Therefore it is not surprise that your output packets are in the clear. Are there any error messages in the log while installing the outbound policy?

Attached strongswan2.log

Actually you shouldn't use IPsec transport mode in the presence of NAT anyway.

Ok, changed it to 'tunnel' but I observe no diffs in my connection policy: PSK+ENCRYPT+ TUNNEL +DONTREKEY even when 'type=transport'

#5
Updated by Andreas Steffen almost 2 years ago

I don't see any IKEv1 negotiations in strongswan2.log

#6
Updated by Terje Rosenlund almost 2 years ago

No longer possible to upload attachements !!!

#7
Updated by Martin Willi almost 2 years ago

Yes we are aware of the problem and are working on it.

Update: File uploading should work now.

#8
Updated by Terje Rosenlund almost 2 years ago

Lost 'Preview' button when in edit-mode?

Uploaded strongswan3.log

quote from mail:

Here is the inbound eroute which works:
| install_inbound_ipsec_sa() checking if we can route
| route owner of "L2TP_Terje"[1] 192.168.1.1:4500 unrouted: NULL; eroute owner: NULL
| configured authentication algorithm HMAC_SHA1 with key size 128
| configured esp encryption algorithm 3DES_CBC with key size 192
| add inbound eroute 192.168.1.1/32:1701 -> 62.xxx.xxx.xxx/32:0 => :17
and here the outbound one:
| install_ipsec_sa() for #2: outbound only
| route owner of "L2TP_Terje"[1] 192.168.1.1:4500 unrouted: NULL; eroute owner: NULL
| configured authentication algorithm HMAC_SHA1 with key size 128
| configured esp encryption algorithm 3DES_CBC with key size 192
| sr for #2: unrouted
| route owner of "L2TP_Terje"[1] 192.168.1.1:4500 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: L2TP_Terje (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2
| eroute_connection add eroute 62.xxx.xxx.xxx/32:0 -> 192.168.1.1/32:1701 => :17
Strange that the outbound policy is not visible with ip xfrm policy
Andreas

I presume the outbound policy should have been set by :

eroute_connection add eroute 62..xxx.xxx.xxx/32:0 -> 192.168.1.1/32:1701 => :17

function eroute_connection() in src/pluto/kernel.c, 1101 calls:

raw_eroute() calling kernel_ops->raw_eroute()
which in this case = linux_kernel_ops->raw_eroute()

The call to eroute_connection() returns 1 from linux_kernel_ops->raw_eroute() despite policy not set

Bug in linux_kernel_ops->raw_eroute() ?

#9
Updated by Terje Rosenlund almost 2 years ago

linux_kernel_ops->raw_eroute = netlink_raw_eroute; (kernel_netlink.c, 1314)
calls netlink_policy() (kernel_netlink.c, 345)
calls send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said) // 356

which returns:

netlink XFRM_MSG_NEWPOLICY response for flow  included errno 0: Success
netlink XFRM_MSG_NEWPOLICY response for flow  included errno 0: Success

..but

[root@trixi /usr/src/strongswan-4.3.6rc2]#ip xfrm policy 
    ...
    src ::/0 dst ::/0 
            dir 4 priority 0 ptype main 
    src 192.168.1.1/32 dst 62.101.205.112/32 proto udp sport 1701 
            dir in priority 2080 ptype main 
            tmpl src 0.0.0.0 dst 0.0.0.0
                    proto esp reqid 16393 mode transport
[root@trixi /usr/src/strongswan-4.3.6rc2]#ip xfrm state
    src 192.168.1.1 dst 192.168.1.10
            proto esp spi 0x81712fd7 reqid 16393 mode transport
            replay-window 32 
            auth hmac(md5) 0x776110555e59954768a98f96fc8d20f0
            enc cbc(des3_ede) 0x35d5db7167e2be76aef6a84cbcedbf005bc37c9853b26194
            encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
            sel src 0.0.0.0/0 dst 0.0.0.0/0 
    src 192.168.1.10 dst 192.168.1.1
            proto esp spi 0xe195e952 reqid 16393 mode transport
            replay-window 32 
            auth hmac(md5) 0x38263124d912a8822f19fbf481998535
            enc cbc(des3_ede) 0xd9198a7ba8f2d4a66fc9b65869d5ee05b4c64ae1dd062594
            encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
            sel src 0.0.0.0/0 dst 0.0.0.0/0

Seems like send_netlink_msg() fails to setup policy AND fails to detect the failure

#10
Updated by Terje Rosenlund almost 2 years ago

Looks like I have found out why send_netlink_msg() fails to setup policy

I have previously experimented width multiple ip's on eth0 but thought I had removed it
strongswan4.log shows that this was not the case as I had forgotten to remove 2 files
After removing these files 'ip xfrm policy' shows both in- and out- policies (?)

strongswan4.log also containes output from 'iptables -L -v' and still shows that no L2TP-packets are passed true the rules created by strongswan

Looks to me that my comment regarding strongswan.log may be correct and will try adding my own rules to FORWARD- and OUTPUT- chains also

#11
Updated by Terje Rosenlund almost 2 years ago

Creating my own rules in iptables did not help

I have set up a new server from scratch and installed fc12 and updates
to ensure that there is nothing in my linux intstall that could cause trouble
Also switched to: ipsec version

Linux strongSwan U4.3.6/K2.6.31.12-174.2.22.fc12.i686

Also updated to 4.3.6 on my original strongswan server

After this update the negotiations on both servers stops in 'responding to Quick Mode'
By comparing logs I saw new behavior in this message: '***emit ISAKMP Nonce Payload'

Disabling lines 5073 - 5082 in ./pluto/ipsec_doi.c solved this problem so I presume it's wrong to include '***emit ISAKMP Nonce Payload' in this message (? ..at least against xp)

#12
Updated by Terje Rosenlund almost 2 years ago

Created new issue regarding my previous input and reverted to
Server: Linux strongSwan U4.3.6rc2/K2.6.27.25-78.2.56.fc9.i686 for this case

Attached strongswan5.log where outbound policy shows up as expected but still sending unencrypted L2TP packets

iptables-stats shows:

  • No packets passing strongswans l2tp INPUT-roule
  • L2tp packets are accepted by next (my) roule (no 'reqid xxxxx')
  • No packets are passed true the FORWARD chain and
  • All L2tp packets leaving OUTPUT leaves as unencrypted l2tp packets

I'm by no means an ipsec-expert and my have an impossible test setting where both client and server resides behind same router and are on the same subnet. Ip-pool for l2tp also resides in same subnet but in a range not used on LAN. Client connects to server true routers wan-ip.

UPDATE:
Client and server behind same nat-device on same subnet works after patching source as described below
Patch described in bug #108 must also be applied if using U4.3.6

#13
Updated by Terje Rosenlund almost 2 years ago

Delayed update caused me to double post next

#14
Updated by Terje Rosenlund almost 2 years ago

Changed and tested my setup without nat and all worked well
Changed and tested with only strongswan-server (responder) behind nat but observe the same behaviour as when both nated:

  • IPSec established
  • Unencrypted l2tp packets as reply from server

I observe that:

  • Leftsourceip or leftsubnet is used as origin/destination for created policies and roules in iptables
  • Incoming requests for a tunnel causes the external ip to be used for policy-matching and therefore requires leftsourceip or leftsubnet to be set to the external ip
  • All incoming traffic from the client (initiator) arrives with servers internal ip as dest-ip and therefore do not match any policy or iptable-roule based on external ip

It seems more logical to me to set leftsubnet to the internal subnet left is part of and use internal nat'ed ip as origin/destination when matching policies

#15
Updated by Terje Rosenlund almost 2 years ago

Changed source in ./pluto/connections.c according to my last update:

function find_client_connection()
    line 3897, added: our_net = &c->spd.this.client;

our_net holds external nated ip when passed to find_client_connection() but packets from initiating xp-client always arrives on responding openswan-server with servers local ip as destination-ip (also when server recides behind nat)

function fc_try()
    line 3649    :    if (!samesubnet(&sr->this.client, our_net))
    replaced by    :    if (!subnetinsubnet(our_net, &sr->this.client))

Original check on line 3649 implies that leftsubnet must match sr->this.client (including mask 32), making leftsubnet meaningless and superfluous
New check allowes eg. leftsubnet to be a subnet without causing a host address to fail

I have observed that policy-matching uses 'left' if 'leftsubnet' or 'leftsourceip' is not given or if left is within leftsubnet (?)
(eg. left=192.168.1.10 and leftsubnet=192.168.1.0/24)

Based on this I have come to the conclusion that leftsourceip is realy meaningless and superfluous and removed it from my conf

UPDATE:

leftsourceip/leftsubnet is superfluous in relation to connection selection but not in relation to created iptable roules and policies

The combined result is that I now (using same connection) can connect:

  • Not nated xp-client to not nated strongswan-server
  • Not nated xp-client to nated strongswan-server
  • Nated xp-client to nated strongswan-server

(Nated xp-client to not nated strongswan-server is not possible and should be tested by another client)

As mentioned before, I'm not an ipsec-expert and there may be implications I do not see so your opinion will be greatly appreciated

#16
Updated by nanjian5 Lee 8 months ago

  • Affected version set to 4.5.2

In my mind:
leftsourceip is used as a proposal when the right endpoint config that rightsourceip=%config.

leftsubnet is usea as the Traffic selector of initiator, which is defined in the RFC.

Hi,Terje,

Do it work in the sceniar of Nated xp-client to nated strongswan-server?

#17
Updated by Terje Rosenlund 8 months ago

I have not been working on this for a long time but my previous post states:

_The combined result is that I now (using same connection) can connect:

Not nated xp-client to not nated strongswan-server
    Not nated xp-client to nated strongswan-server
    Nated xp-client to nated strongswan-server
_
So the answer is Yes

Also available in: Atom PDF