Issue #1313
Additional TS inserted when IKEv2 connection initiated by traffic on FreeBSD
Description
Take a connection like the following:
conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = 172.27.44.149
right = 172.27.44.47
leftid = 172.27.44.149
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha1-modp1024!
esp = aes256-sha1,aes192-sha1,aes128-sha1,aes256-sha1,aes192-sha1,aes128-sha1!
leftauth = psk
rightauth = psk
rightid = 172.27.44.47
rightsubnet = 192.168.25.0/24
leftsubnet = 192.168.64.0/24
on FreeBSD 10.1, 10.3 and 11, strongswan 5.3.x up to 5.3.5, and 5.4.0dr6, with a Cisco ASA v9.3 as the remote endpoint. It seems like this is specific to FreeBSD, as the same config on Linux doesn't do this, but I'm not seeing how this could be an issue in FreeBSD itself.
When the connection is triggered to come up by traffic matching the SPD, strongswan sends two TSes. The first is external IP to external IP, the second the leftsubnet/rightsubnet. The ASA logs:
(10): TSi(10): Next payload: TSr, reserved: 0x0, length: 40 (10): Num of TSs: 2, reserved 0x0, reserved 0x0 (10): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (10): start port: 0, end port: 65535 (10): start addr: 172.27.44.149, end addr: 172.27.44.149 (10): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (10): start port: 0, end port: 65535 (10): start addr: 192.168.64.0, end addr: 192.168.64.255 (10): TSr(10): Next payload: NONE, reserved: 0x0, length: 40 (10): Num of TSs: 2, reserved 0x0, reserved 0x0 (10): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (10): start port: 0, end port: 65535 (10): start addr: 172.27.44.47, end addr: 172.27.44.47 (10): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (10): start port: 0, end port: 65535 (10): start addr: 192.168.25.0, end addr: 192.168.25.255
This fails because the ASA only supports a single TS and the first doesn't match, so you end up getting:
Local:172.27.44.47:500 Remote:172.27.44.149:500 Username:172.27.44.149 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy Local:172.27.44.47:500 Remote:172.27.44.149:500 Username:172.27.44.149 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.64.0/192.168.64.255/0/65535/0 local traffic selector 192.168.25.0/192.168.25.255/0/65535/0!
But bring it up with 'ipsec up con1', and it sends a single TS correctly containing leftsubnet/rightsubnet and it works fine.
(13): TSi(13): Next payload: TSr, reserved: 0x0, length: 24 (13): Num of TSs: 1, reserved 0x0, reserved 0x0 (13): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (13): start port: 0, end port: 65535 (13): start addr: 192.168.64.0, end addr: 192.168.64.255 (13): TSr(13): Next payload: NONE, reserved: 0x0, length: 24 (13): Num of TSs: 1, reserved 0x0, reserved 0x0 (13): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 (13): start port: 0, end port: 65535 (13): start addr: 192.168.26.0, end addr: 192.168.26.255
History
#1 Updated by Tobias Brunner over 9 years ago
- Status changed from New to Feedback
Try setting charon.ignore_acquire_ts=yes in strongswan.conf. The behavior should be the same for Linux but it might depend on the kernel version, the kernel-interface, the kind of traffic triggering the SA etc.
#2 Updated by Chris Buechler over 9 years ago
That fixes the issue, thanks Tobias!
#3 Updated by Tobias Brunner over 9 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required