Project

General

Profile

Issue #1313

Additional TS inserted when IKEv2 connection initiated by traffic on FreeBSD

Added by Chris Buechler over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.3.5
Resolution:
No change required

Description

Take a connection like the following:

conn con1
    fragmentation = yes
    keyexchange = ikev2
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = route
    left = 172.27.44.149
    right = 172.27.44.47
    leftid = 172.27.44.149
    ikelifetime = 28800s
    lifetime = 3600s
    ike = aes256-sha1-modp1024!
    esp = aes256-sha1,aes192-sha1,aes128-sha1,aes256-sha1,aes192-sha1,aes128-sha1!
    leftauth = psk
    rightauth = psk
    rightid = 172.27.44.47
    rightsubnet = 192.168.25.0/24
    leftsubnet = 192.168.64.0/24

on FreeBSD 10.1, 10.3 and 11, strongswan 5.3.x up to 5.3.5, and 5.4.0dr6, with a Cisco ASA v9.3 as the remote endpoint. It seems like this is specific to FreeBSD, as the same config on Linux doesn't do this, but I'm not seeing how this could be an issue in FreeBSD itself.

When the connection is triggered to come up by traffic matching the SPD, strongswan sends two TSes. The first is external IP to external IP, the second the leftsubnet/rightsubnet. The ASA logs:

(10):  TSi(10):   Next payload: TSr, reserved: 0x0, length: 40
(10):     Num of TSs: 2, reserved 0x0, reserved 0x0
(10):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(10):     start port: 0, end port: 65535
(10):     start addr: 172.27.44.149, end addr: 172.27.44.149
(10):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(10):     start port: 0, end port: 65535
(10):     start addr: 192.168.64.0, end addr: 192.168.64.255
(10):  TSr(10):   Next payload: NONE, reserved: 0x0, length: 40
(10):     Num of TSs: 2, reserved 0x0, reserved 0x0
(10):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(10):     start port: 0, end port: 65535
(10):     start addr: 172.27.44.47, end addr: 172.27.44.47
(10):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(10):     start port: 0, end port: 65535
(10):     start addr: 192.168.25.0, end addr: 192.168.25.255

This fails because the ASA only supports a single TS and the first doesn't match, so you end up getting:

Local:172.27.44.47:500 Remote:172.27.44.149:500 Username:172.27.44.149 IKEv2 Negotiation aborted due to ERROR: Failed to find a matching policy
Local:172.27.44.47:500 Remote:172.27.44.149:500 Username:172.27.44.149 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.64.0/192.168.64.255/0/65535/0 local traffic selector 192.168.25.0/192.168.25.255/0/65535/0!

But bring it up with 'ipsec up con1', and it sends a single TS correctly containing leftsubnet/rightsubnet and it works fine.

(13):  TSi(13):   Next payload: TSr, reserved: 0x0, length: 24
(13):     Num of TSs: 1, reserved 0x0, reserved 0x0
(13):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(13):     start port: 0, end port: 65535
(13):     start addr: 192.168.64.0, end addr: 192.168.64.255
(13):  TSr(13):   Next payload: NONE, reserved: 0x0, length: 24
(13):     Num of TSs: 1, reserved 0x0, reserved 0x0
(13):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(13):     start port: 0, end port: 65535
(13):     start addr: 192.168.26.0, end addr: 192.168.26.255

History

#1 Updated by Tobias Brunner over 4 years ago

  • Status changed from New to Feedback

Try setting charon.ignore_acquire_ts=yes in strongswan.conf. The behavior should be the same for Linux but it might depend on the kernel version, the kernel-interface, the kind of traffic triggering the SA etc.

#2 Updated by Chris Buechler about 4 years ago

That fixes the issue, thanks Tobias!

#3 Updated by Tobias Brunner about 4 years ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF