Hello everyone,
Again I'm messing with the lookup of PSKs (see #2223).
Affected Versions:
Linux strongSwan U5.3.5/K4.4.104-yocto-custom
Linux strongSwan U5.6.1/K4.9.61-yocto-custom
Note that the patch chaning the PSK-lookup order to first use identities (introduced in 5.5.2) from a matched ike-config -- while it does change the behavior -- does not change the outcome for the described scenario.
Note also that I'm aware that using IKEv2 probably solves those problems and that there are much better and secure ways to configure the given scenario.
Scenario¶
- Configuration with multiple IKEv1 (PSK) connections that share a common IP address X as the left=leftid parameter
- One connection uses right=rightid=%any, the others use distinct IP addresses
configurationconfiguration
ipsec.conf
config setup
cachecrls="no"
strictcrlpolicy="yes"
conn "Testany_1"
auto="add"
keyexchange="ikev1"
leftauth="psk"
rightauth="psk"
compress="no"
left="10.1.130.93"
right="%any"
leftid="10.1.130.93"
rightid="%any"
rightsubnet="192.168.65.0/24"
leftsubnet="192.168.10.0/24"
keylife=8h
ikelifetime=1h
keyingtries="%forever"
esp="aes128-sha2_256"
ike="aes128-sha2_256-modp2048"
conn "Testany_2"
auto="add"
keyexchange="ikev1"
leftauth="psk"
rightauth="psk"
compress="no"
left="10.1.130.93"
right="%any"
leftid="10.1.130.93"
rightid="%any"
rightsubnet="192.168.66.0/24"
leftsubnet="192.168.10.0/24"
keylife=8h
ikelifetime=1h
keyingtries="%forever"
esp="aes128-sha2_256"
ike="aes128-sha2_256-modp2048"
conn "Stoerenfried_3"
auto="add"
keyexchange="ikev1"
leftauth="psk"
rightauth="psk"
compress="no"
left="10.1.130.93"
right="10.1.130.96"
leftid="10.1.130.93"
rightid="10.1.130.96"
rightsubnet="192.168.67.0/24"
leftsubnet="192.168.10.0/24"
keylife=8h
ikelifetime=1h
keyingtries="%forever"
esp="aes128-sha2_256"
ike="aes128-sha2_256-modp2048"
ipsec.secrets:
10.1.130.93 %any : PSK "ABCD"
10.1.130.93 %any : PSK "ABCD"
10.1.130.93 10.1.130.96 : PSK "XYZ0"
Result of connection attempt from remote peers¶
All connections with explicitly configured IP addresses work perfectly well. For those that use %any as right|rightid, a wrong PSK is selected. The selection of a PSK in this case is more or less random, depending on the order within the configuration file. What happens is:
- A connection with a explicit IP address is checked
- the local ID produces a perfect match, the remote ID is either
- "nil" (strongswan > 5.6, with commit e92d8a56b376e6964e5f1b53b2d261f167e0b166 from #2223); in this case, no match for the remote ID is performed and checks on the correct shared secret do not produce a better match and is discarded
- "<remote IP>" (e.g. strongswan 5.3.5), which, however, yields the same result, because no match against "%any" is performed, because no "%any"-ID is added to the list of owner for the shared secret credential_manager by the stroke plugin for the above config
IMHO, this can be considered a bug, because charon actually does have enough information to unambiguously lookup the correct PSK and actually pluto was able to do so before it went into well-deserved retirement.
Instrumented Log (strongswan 5.6.1) from failed connection attemptInstrumented Log (strongswan 5.6.1) from failed connection attempt
45088|5088|2017-12-13T13:42:42.800+01:00|charon||06[CFG] <1> looking for an ike config for 10.1.130.93...10.1.130.94
45089|5089|2017-12-13T13:42:42.800+01:00|charon||06[CFG] <1> ike config match: 1052 (10.1.130.93 10.1.130.94 IKEv1)
45090|5090|2017-12-13T13:42:42.800+01:00|charon||06[CFG] <1> candidate: 10.1.130.93...%any, prio 1052
45091|5091|2017-12-13T13:42:42.800+01:00|charon||06[CFG] <1> ike config match: 0 (10.1.130.93 10.1.130.94 IKEv1)
45092|5092|2017-12-13T13:42:42.800+01:00|charon||06[CFG] <1> found matching ike config: 10.1.130.93...%any with prio 1052
45093|5093|2017-12-13T13:42:42.800+01:00|charon||06[IKE] <1> received Main Mode message
45094|5094|2017-12-13T13:42:42.800+01:00|charon||06[IKE] <1> calling tasks to process message
45095|5095|2017-12-13T13:42:42.800+01:00|charon||06[IKE] <1> received strongSwan vendor ID
45096|5096|2017-12-13T13:42:42.800+01:00|charon||06[IKE] <1> received XAuth vendor ID
45097|5097|2017-12-13T13:42:42.800+01:00|charon||06[IKE] <1> received DPD vendor ID
45098|5098|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> received NAT-T (RFC 3947) vendor ID
45099|5099|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
45100|5100|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
45101|5101|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
45102|5102|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
45103|5103|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> calling tasks to process message
45104|5104|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> calling tasks to process message
45105|5105|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> ENTER process_r; received message in state 0
45106|5106|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> process MM_INIT (main_mode)
45107|5107|2017-12-13T13:42:42.801+01:00|charon||06[IKE] <1> 10.1.130.94 is initiating a Main Mode IKE_SA
45108|5108|2017-12-13T13:42:42.804+01:00|charon||06[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
45109|5109|2017-12-13T13:42:42.804+01:00|charon||06[CFG] <1> selecting proposal:
45110|5110|2017-12-13T13:42:42.804+01:00|charon||06[CFG] <1> proposal matches
45111|5111|2017-12-13T13:42:42.804+01:00|charon||06[CFG] <1> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
45112|5112|2017-12-13T13:42:42.804+01:00|charon||06[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
45113|5113|2017-12-13T13:42:42.804+01:00|charon||06[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
45114|5114|2017-12-13T13:42:42.804+01:00|charon||06[IKE] <1> calling tasks to process message
45115|5115|2017-12-13T13:42:42.804+01:00|charon||06[IKE] <1> calling tasks to process message
45116|5116|2017-12-13T13:42:42.804+01:00|charon||06[IKE] <1> sending XAuth vendor ID
45117|5117|2017-12-13T13:42:42.804+01:00|charon||06[IKE] <1> sending DPD vendor ID
45118|5118|2017-12-13T13:42:42.805+01:00|charon||06[IKE] <1> sending NAT-T (RFC 3947) vendor ID
45119|5119|2017-12-13T13:42:42.832+01:00|charon||05[IKE] <1> calling tasks to process message
45120|5120|2017-12-13T13:42:42.832+01:00|charon||05[IKE] <1> calling tasks to process message
45121|5121|2017-12-13T13:42:42.832+01:00|charon||05[IKE] <1> ENTER process_r; received message in state 1
45122|5122|2017-12-13T13:42:42.832+01:00|charon||05[IKE] <1> process MM_SA (main_mode)
45123|5123|2017-12-13T13:42:42.860+01:00|charon||05[IKE] <1> calling tasks to process message
45148|5148|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> try to get PSK from peer_cfg=(nil)
45149|5149|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> peer_config not set; trying to get config by matching IPs with IKE config IDs (and derive PSK from there)
45150|5150|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> peer config match local: 1 (ID_ANY)
45151|5151|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> peer config match remote: 1 (ID_ANY)
45152|5152|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> ike config match: 1052 (10.1.130.93 10.1.130.94 IKEv1)
45153|5153|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> candidate "Testany_1", match: 1/1/1052 (me/other/ike)
45154|5154|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> peer config match local: 1 (ID_ANY)
45155|5155|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> peer config match remote: 1 (ID_ANY)
45156|5156|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> ike config match: 0 (10.1.130.93 10.1.130.94 IKEv1)
45157|5157|2017-12-13T13:42:42.865+01:00|charon||05[IKE] <1> my_id=10.1.130.93 other_id=(null)
45158|5158|2017-12-13T13:42:42.865+01:00|charon||05[IKE] <1> trying to match me=10.1.130.93 and other=(null) to shared secrets
45159|5159|2017-12-13T13:42:42.865+01:00|charon||05[CFG] <1> calling shared filter
45160|5160|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> got my_match=20 for 1|0a01825d and other_match=0 for 500|
45161|5161|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> candidate key after filter => 4 bytes @ 0x95f11b8
45162|5162|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> 0: 58 59 5A 30 XYZ0
45163|5163|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> match_me=20 match_other=0 key==> 4 bytes @ 0x95f11b8
45164|5164|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> 0: 58 59 5A 30 XYZ0
45165|5165|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> better match
45166|5166|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> calling shared filter
45167|5167|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> got my_match=20 for 1|0a01825d and other_match=0 for 500|
45168|5168|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> candidate key after filter => 4 bytes @ 0x95f1318
45169|5169|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> 0: 41 42 43 44 ABCD
45170|5170|2017-12-13T13:42:42.866+01:00|charon||05[CFG] <1> match_me=20 match_other=0 key==> 4 bytes @ 0x95f1318
45171|5171|2017-12-13T13:42:42.867+01:00|charon||05[CFG] <1> 0: 41 42 43 44 ABCD
45172|5172|2017-12-13T13:42:42.867+01:00|charon||05[CFG] <1> no better match
45173|5173|2017-12-13T13:42:42.868+01:00|charon||05[CFG] <1> found PSK by IP address: => 4 bytes @ 0x95f11b8
45174|5174|2017-12-13T13:42:42.868+01:00|charon||05[CFG] <1> 0: 58 59 5A 30 XYZ0
45226|5226|2017-12-13T13:42:42.893+01:00|charon||04[IKE] <1> ID_PROT request with message ID 0 processing failed
45227|5227|2017-12-13T13:42:52.822+01:00|charon||03[IKE] <1> message parsing failed
Possible Solution¶
I implemented some small but possibly far-reaching changes into the PSK lookup order and the way the stroke plugin parses ipsec.secrets (see the attached patch against 5.6.2dr3). While I think that the applied logic is sound, it'd be a lie to claim that I checked all scenarios that are possibly affected by the change and would be thankful for some input in this regard. However, I did run the (whole) strongswan test suite with the patched version of strongswan:
detailed test resultsdetailed test results
Guest kernel : 4.9.68
strongSwan : 5.6.2dr2
Date : 20171213-1045-33
[ ok ] 1 af-alg/alg-camellia: pre..test..post
[ ok ] 2 af-alg/rw-cert: pre..test..post
[ ok ] 3 gcrypt-ikev1/alg-serpent: pre..test..post
[ ok ] 4 gcrypt-ikev1/alg-twofish: pre..test..post
[ ok ] 5 gcrypt-ikev2/alg-camellia: pre..test..post
[ ok ] 6 gcrypt-ikev2/rw-cert: pre..test..post
[ ok ] 7 ha/active-passive: pre..test..post
[ ok ] 8 ha/both-active: pre..test..post
[ ok ] 9 ike/rw-cert: pre..test..post
[ ok ] 10 ike/rw_v1-net_v2: pre..test..post
[ ok ] 11 ikev1/alg-3des-md5: pre..test..post
[ ok ] 12 ikev1/alg-blowfish: pre..test..post
[ ok ] 13 ikev1/alg-modp-subgroup: pre..test..post
[ ok ] 14 ikev1/alg-sha256: pre..test..post
[ ok ] 15 ikev1/alg-sha384: pre..test..post
[ ok ] 16 ikev1/alg-sha512: pre..test..post
[ ok ] 17 ikev1/compress: pre..test..post
[ ok ] 18 ikev1/config-payload: pre..test..post
[ ok ] 19 ikev1/config-payload-push: pre..test..post
[ ok ] 20 ikev1/double-nat: pre..test..post
[ ok ] 21 ikev1/double-nat-net: pre..test..post
[ ok ] 22 ikev1/dpd-clear: pre..test..post
[ ok ] 23 ikev1/dpd-restart: pre..test..post
[ ok ] 24 ikev1/dynamic-initiator: pre..test..post
[ ok ] 25 ikev1/dynamic-responder: pre..test..post
[ ok ] 26 ikev1/dynamic-two-peers: pre..test..post
[ ok ] 27 ikev1/esp-alg-aes-ccm: pre..test..post
[ ok ] 28 ikev1/esp-alg-aes-ctr: pre..test..post
[ ok ] 29 ikev1/esp-alg-aes-gcm: pre..test..post
[ ok ] 30 ikev1/esp-alg-aes-gmac: pre..test..post
[ ok ] 31 ikev1/esp-alg-aes-xcbc: pre..test..post
[ ok ] 32 ikev1/esp-alg-null: pre..test..post
[ ok ] 33 ikev1/host2host-ah: pre..test..post
[ ok ] 34 ikev1/host2host-cert: pre..test..post
[ ok ] 35 ikev1/host2host-transport: pre..test..post
[ ok ] 36 ikev1/ip-pool: pre..test..post
[ ok ] 37 ikev1/ip-pool-db: pre..test..post
[ ok ] 38 ikev1/multi-level-ca: pre..test..post
[ ok ] 39 ikev1/multi-level-ca-cr-init: pre..test..post
[ ok ] 40 ikev1/multi-level-ca-cr-resp: pre..test..post
[ ok ] 41 ikev1/nat-rw: pre..test..post
[ ok ] 42 ikev1/nat-virtual-ip: pre..test..post
[ ok ] 43 ikev1/net2net-ah: pre..test..post
[ ok ] 44 ikev1/net2net-cert: pre..test..post
[ ok ] 45 ikev1/net2net-esn: pre..test..post
[ ok ] 46 ikev1/net2net-fragmentation: pre..test..post
[ ok ] 47 ikev1/net2net-ntru-cert: pre..test..post
[ ok ] 48 ikev1/net2net-psk: pre..test..post
[ ok ] 49 ikev1/net2net-psk-fail: pre..test..post
[ ok ] 50 ikev1/protoport-dual: pre..test..post
[ ok ] 51 ikev1/rw-cert: pre..test..post
[ ok ] 52 ikev1/rw-cert-aggressive: pre..test..post
[ ok ] 53 ikev1/rw-cert-unity: pre..test..post
[ ok ] 54 ikev1/rw-initiator-only: pre..test..post
[ ok ] 55 ikev1/rw-ntru-psk: pre..test..post
[ ok ] 56 ikev1/rw-psk-aggressive: pre..test..post
[ ok ] 57 ikev1/rw-psk-fqdn: pre..test..post
[ ok ] 58 ikev1/rw-psk-ipv4: pre..test..post
[ ok ] 59 ikev1/virtual-ip: pre..test..post
[ ok ] 60 ikev1/xauth-id-psk-config: pre..test..post
[ ok ] 61 ikev1/xauth-id-rsa-aggressive: pre..test..post
[ ok ] 62 ikev1/xauth-id-rsa-config: pre..test..post
[ ok ] 63 ikev1/xauth-id-rsa-hybrid: pre..test..post
[ ok ] 64 ikev1/xauth-psk: pre..test..post
[ ok ] 65 ikev1/xauth-rsa: pre..test..post
[ ok ] 66 ikev1/xauth-rsa-eap-md5-radius: pre..test..post
[ ok ] 67 ikev1/xauth-rsa-radius: pre..test..post
[ ok ] 68 ikev2/acert-cached: pre..test..post
[ ok ] 69 ikev2/acert-fallback: pre..test..post
[ ok ] 70 ikev2/acert-inline: pre..test..post
[ ok ] 71 ikev2/after-2038-certs: pre..test..post
[ ok ] 72 ikev2/alg-3des-md5: pre..test..post
[ ok ] 73 ikev2/alg-aes-ccm: pre..test..post
[ ok ] 74 ikev2/alg-aes-ctr: pre..test..post
[ ok ] 75 ikev2/alg-aes-gcm: pre..test..post
[ ok ] 76 ikev2/alg-aes-xcbc: pre..test..post
[ ok ] 77 ikev2/alg-blowfish: pre..test..post
[ ok ] 78 ikev2/alg-chacha20poly1305: pre..test..post
[ ok ] 79 ikev2/alg-modp-subgroup: pre..test..post
[ ok ] 80 ikev2/alg-sha256: pre..test..post
[ ok ] 81 ikev2/alg-sha256-96: pre..test..post
[ ok ] 82 ikev2/alg-sha384: pre..test..post
[ ok ] 83 ikev2/alg-sha512: pre..test..post
[ ok ] 84 ikev2/any-interface: pre..test..post
[ ok ] 85 ikev2/compress: pre..test..post
[ ok ] 86 ikev2/compress-nat: pre..test..post
[ ok ] 87 ikev2/config-payload: pre..test..post
[ ok ] 88 ikev2/config-payload-swapped: pre..test..post
[ ok ] 89 ikev2/critical-extension: pre..test..post
[ ok ] 90 ikev2/crl-from-cache: pre..test..post
[ ok ] 91 ikev2/crl-ldap: pre..test..post
[ ok ] 92 ikev2/crl-revoked: pre..test..post
[ ok ] 93 ikev2/crl-to-cache: pre..test..post
[ ok ] 94 ikev2/dhcp-dynamic: pre..test..post
[ ok ] 95 ikev2/dhcp-static-client-id: pre..test..post
[ ok ] 96 ikev2/dhcp-static-mac: pre..test..post
[ ok ] 97 ikev2/double-nat: pre..test..post
[ ok ] 98 ikev2/double-nat-net: pre..test..post
[ ok ] 99 ikev2/dpd-clear: pre..test..post
[ ok ] 100 ikev2/dpd-hold: pre..test..post
[ ok ] 101 ikev2/dpd-restart: pre..test..post
[ ok ] 102 ikev2/dynamic-initiator: pre..test..post
[ ok ] 103 ikev2/dynamic-two-peers: pre..test..post
[ ok ] 104 ikev2/esp-alg-aes-gmac: pre..test..post
[ ok ] 105 ikev2/esp-alg-md5-128: pre..test..post
[ ok ] 106 ikev2/esp-alg-null: pre..test..post
[ ok ] 107 ikev2/esp-alg-sha1-160: pre..test..post
[ ok ] 108 ikev2/farp: pre..test..post
[ ok ] 109 ikev2/force-udp-encaps: pre..test..post
[ ok ] 110 ikev2/forecast: pre..test..post
[ ok ] 111 ikev2/host2host-ah: pre..test..post
[ ok ] 112 ikev2/host2host-cert: pre..test..post
[ ok ] 113 ikev2/host2host-swapped: pre..test..post
[ ok ] 114 ikev2/host2host-transport: pre..test..post
[ ok ] 115 ikev2/host2host-transport-connmark: pre..test..post
[ ok ] 116 ikev2/host2host-transport-nat: pre..test..post
[ ok ] 117 ikev2/inactivity-timeout: pre..test..post
[ ok ] 118 ikev2/ip-pool: pre..test..post
[ ok ] 119 ikev2/ip-pool-db: pre..test..post
[ ok ] 120 ikev2/ip-pool-wish: pre..test..post
[ ok ] 121 ikev2/ip-split-pools-db: pre..test..post
[ ok ] 122 ikev2/ip-two-pools: pre..test..post
[ ok ] 123 ikev2/ip-two-pools-db: pre..test..post
[ ok ] 124 ikev2/ip-two-pools-mixed: pre..test..post
[ ok ] 125 ikev2/ip-two-pools-v4v6: pre..test..post
[ ok ] 126 ikev2/ip-two-pools-v4v6-db: pre..test..post
[ ok ] 127 ikev2/lookip: pre..test..post
[ ok ] 128 ikev2/mobike: pre..test..post
[ ok ] 129 ikev2/mobike-nat: pre..test..post
[ ok ] 130 ikev2/mobike-virtual-ip: pre..test..post
[ ok ] 131 ikev2/mult-auth-rsa-eap-sim-id: pre..test..post
[ ok ] 132 ikev2/multi-level-ca: pre..test..post
[ ok ] 133 ikev2/multi-level-ca-cr-init: pre..test..post
[ ok ] 134 ikev2/multi-level-ca-cr-resp: pre..test..post
[ ok ] 135 ikev2/multi-level-ca-ldap: pre..test..post
[ ok ] 136 ikev2/multi-level-ca-loop: pre..test..post
[ ok ] 137 ikev2/multi-level-ca-pathlen: pre..test..post
[ ok ] 138 ikev2/multi-level-ca-revoked: pre..test..post
[ ok ] 139 ikev2/multi-level-ca-strict: pre..test..post
[ ok ] 140 ikev2/nat-rw: pre..test..post
[ ok ] 141 ikev2/nat-rw-mark: pre..test..post
[ ok ] 142 ikev2/nat-rw-psk: pre..test..post
[ ok ] 143 ikev2/nat-virtual-ip: pre..test..post
[ ok ] 144 ikev2/net2net-ah: pre..test..post
[ ok ] 145 ikev2/net2net-cert: pre..test..post
[ ok ] 146 ikev2/net2net-cert-sha2: pre..test..post
[ ok ] 147 ikev2/net2net-dnscert: pre..test..post
[ ok ] 148 ikev2/net2net-dnssec: pre..test..post
[ ok ] 149 ikev2/net2net-ed25519: pre..test..post
[ ok ] 150 ikev2/net2net-esn: pre..test..post
[ ok ] 151 ikev2/net2net-fragmentation: pre..test..post
[ ok ] 152 ikev2/net2net-multicast: pre..test..post
[ ok ] 153 ikev2/net2net-ntru-bandwidth: pre..test..post
[ ok ] 154 ikev2/net2net-ntru-cert: pre..test..post
[ ok ] 155 ikev2/net2net-pgp-v3: pre..test..post
[ ok ] 156 ikev2/net2net-pgp-v4: pre..test..post
[ ok ] 157 ikev2/net2net-pkcs12: pre..test..post
[ ok ] 158 ikev2/net2net-psk: pre..test..post
[ ok ] 159 ikev2/net2net-psk-dscp: pre..test..post
[ ok ] 160 ikev2/net2net-psk-fail: pre..test..post
[ ok ] 161 ikev2/net2net-pubkey: pre..test..post
[ ok ] 162 ikev2/net2net-rekey: pre..test..post
[ ok ] 163 ikev2/net2net-rfc3779: pre..test..post
[ ok ] 164 ikev2/net2net-route: pre..test..post
[ ok ] 165 ikev2/net2net-rsa: pre..test..post
[ ok ] 166 ikev2/net2net-same-nets: pre..test..post
[ ok ] 167 ikev2/net2net-start: pre..test..post
[ ok ] 168 ikev2/ocsp-local-cert: pre..test..post
[ ok ] 169 ikev2/ocsp-multi-level: pre..test..post
[ ok ] 170 ikev2/ocsp-no-signer-cert: pre..test..post
[ ok ] 171 ikev2/ocsp-revoked: pre..test..post
[ ok ] 172 ikev2/ocsp-root-cert: pre..test..post
[ ok ] 173 ikev2/ocsp-signer-cert: pre..test..post
[ ok ] 174 ikev2/ocsp-strict-ifuri: pre..test..post
[ ok ] 175 ikev2/ocsp-timeouts-good: pre..test..post
[ ok ] 176 ikev2/ocsp-timeouts-unknown: pre..test..post
[ ok ] 177 ikev2/ocsp-untrusted-cert: pre..test..post
[ ok ] 178 ikev2/protoport-dual: pre..test..post
[ ok ] 179 ikev2/protoport-route: pre..test..post
[ ok ] 180 ikev2/reauth-early: pre..test..post
[ ok ] 181 ikev2/reauth-late: pre..test..post
[ ok ] 182 ikev2/reauth-mbb: pre..test..post
[ ok ] 183 ikev2/reauth-mbb-revoked: pre..test..post
[ ok ] 184 ikev2/reauth-mbb-virtual-ip: pre..test..post
[ ok ] 185 ikev2/redirect-active: pre..test..post
[ ok ] 186 ikev2/rw-cert: pre..test..post
[ ok ] 187 ikev2/rw-dnssec: pre..test..post
[ ok ] 188 ikev2/rw-eap-aka-id-rsa: pre..test..post
[ ok ] 189 ikev2/rw-eap-aka-rsa: pre..test..post
[ ok ] 190 ikev2/rw-eap-aka-sql-rsa: pre..test..post
[ ok ] 191 ikev2/rw-eap-dynamic: pre..test..post
[ ok ] 192 ikev2/rw-eap-framed-ip-radius: pre..test..post
[ ok ] 193 ikev2/rw-eap-md5-class-radius: pre..test..post
[ ok ] 194 ikev2/rw-eap-md5-id-prompt: pre..test..post
[ ok ] 195 ikev2/rw-eap-md5-id-radius: pre..test..post
[ ok ] 196 ikev2/rw-eap-md5-radius: pre..test..post
[ ok ] 197 ikev2/rw-eap-md5-rsa: pre..test..post
[ ok ] 198 ikev2/rw-eap-mschapv2-id-rsa: pre..test..post
[ ok ] 199 ikev2/rw-eap-peap-md5: pre..test..post
[ ok ] 200 ikev2/rw-eap-peap-mschapv2: pre..test..post
[ ok ] 201 ikev2/rw-eap-peap-radius: pre..test..post
[ ok ] 202 ikev2/rw-eap-sim-id-radius: pre..test..post
[ ok ] 203 ikev2/rw-eap-sim-only-radius: pre..test..post
[ ok ] 204 ikev2/rw-eap-sim-radius: pre..test..post
[ ok ] 205 ikev2/rw-eap-sim-rsa: pre..test..post
[ ok ] 206 ikev2/rw-eap-tls-fragments: pre..test..post
[ ok ] 207 ikev2/rw-eap-tls-only: pre..test..post
[ ok ] 208 ikev2/rw-eap-tls-radius: pre..test..post
[ ok ] 209 ikev2/rw-eap-ttls-only: pre..test..post
[ ok ] 210 ikev2/rw-eap-ttls-phase2-piggyback: pre..test..post
[ ok ] 211 ikev2/rw-eap-ttls-radius: pre..test..post
[ ok ] 212 ikev2/rw-hash-and-url: pre..test..post
[ ok ] 213 ikev2/rw-initiator-only: pre..test..post
[ ok ] 214 ikev2/rw-mark-in-out: pre..test..post
[ ok ] 215 ikev2/rw-newhope-bliss: pre..test..post
[ ok ] 216 ikev2/rw-ntru-bliss: pre..test..post
[ ok ] 217 ikev2/rw-ntru-psk: pre..test..post
[ ok ] 218 ikev2/rw-pkcs8: pre..test..post
[ ok ] 219 ikev2/rw-psk-fqdn: pre..test..post
[ ok ] 220 ikev2/rw-psk-ipv4: pre..test..post
[ ok ] 221 ikev2/rw-psk-no-idr: pre..test..post
[ ok ] 222 ikev2/rw-psk-rsa-mixed: pre..test..post
[ ok ] 223 ikev2/rw-psk-rsa-split: pre..test..post
[ ok ] 224 ikev2/rw-radius-accounting: pre..test..post
[ ok ] 225 ikev2/rw-sig-auth: pre..test..post
[ ok ] 226 ikev2/rw-whitelist: pre..test..post
[ ok ] 227 ikev2/shunt-policies-nat-rw: pre..test..post
[ ok ] 228 ikev2/strong-keys-certs: pre..test..post
[ ok ] 229 ikev2/trap-any: pre..test..post
[ ok ] 230 ikev2/two-certs: pre..test..post
[ ok ] 231 ikev2/virtual-ip: pre..test..post
[ ok ] 232 ikev2/virtual-ip-override: pre..test..post
[ ok ] 233 ikev2/wildcards: pre..test..post
[ ok ] 234 ipv6/host2host-ikev1: pre..test..post
[ ok ] 235 ipv6/host2host-ikev2: pre..test..post
[ ok ] 236 ipv6/net2net-ikev1: pre..test..post
[ ok ] 237 ipv6/net2net-ikev2: pre..test..post
[ ok ] 238 ipv6/net2net-ip4-in-ip6-ikev1: pre..test..post
[ ok ] 239 ipv6/net2net-ip4-in-ip6-ikev2: pre..test..post
[ ok ] 240 ipv6/net2net-ip6-in-ip4-ikev1: pre..test..post
[ ok ] 241 ipv6/net2net-ip6-in-ip4-ikev2: pre..test..post
[ ok ] 242 ipv6/net2net-rfc3779-ikev2: pre..test..post
[ ok ] 243 ipv6/rw-compress-ikev2: pre..test..post
[ ok ] 244 ipv6/rw-ikev1: pre..test..post
[ ok ] 245 ipv6/rw-ikev2: pre..test..post
[ ok ] 246 ipv6/rw-ip6-in-ip4-ikev1: pre..test..post
[ ok ] 247 ipv6/rw-ip6-in-ip4-ikev2: pre..test..post
[ ok ] 248 ipv6/rw-psk-ikev1: pre..test..post
[ ok ] 249 ipv6/rw-psk-ikev2: pre..test..post
[ ok ] 250 ipv6/rw-rfc3779-ikev2: pre..test..post
[ ok ] 251 ipv6/transport-ikev1: pre..test..post
[ ok ] 252 ipv6/transport-ikev2: pre..test..post
[ ok ] 253 ipv6-stroke/host2host-ikev1: pre..test..post
[ ok ] 254 ipv6-stroke/host2host-ikev2: pre..test..post
[ ok ] 255 ipv6-stroke/net2net-ikev1: pre..test..post
[ ok ] 256 ipv6-stroke/net2net-ikev2: pre..test..post
[ ok ] 257 ipv6-stroke/net2net-ip4-in-ip6-ikev1: pre..test..post
[ ok ] 258 ipv6-stroke/net2net-ip4-in-ip6-ikev2: pre..test..post
[ ok ] 259 ipv6-stroke/net2net-ip6-in-ip4-ikev1: pre..test..post
[ ok ] 260 ipv6-stroke/net2net-ip6-in-ip4-ikev2: pre..test..post
[ ok ] 261 ipv6-stroke/rw-ikev1: pre..test..post
[ ok ] 262 ipv6-stroke/rw-ikev2: pre..test..post
[ ok ] 263 ipv6-stroke/rw-ip6-in-ip4-ikev1: pre..test..post
[ ok ] 264 ipv6-stroke/rw-ip6-in-ip4-ikev2: pre..test..post
[ ok ] 265 ipv6-stroke/rw-psk-ikev1: pre..test..post
[ ok ] 266 ipv6-stroke/rw-psk-ikev2: pre..test..post
[ ok ] 267 ipv6-stroke/transport-ikev1: pre..test..post
[ ok ] 268 ipv6-stroke/transport-ikev2: pre..test..post
[ ok ] 269 libipsec/host2host-cert: pre..test..post
[ ok ] 270 libipsec/net2net-3des: pre..test..post
[ ok ] 271 libipsec/net2net-cert: pre..test..post
[ ok ] 272 libipsec/net2net-cert-ipv6: pre..test..post
[ ok ] 273 libipsec/net2net-null: pre..test..post
[ ok ] 274 openssl-ikev1/alg-camellia: pre..test..post
[ ok ] 275 openssl-ikev1/alg-ecp-high: pre..test..post
[ ok ] 276 openssl-ikev1/alg-ecp-low: pre..test..post
[ ok ] 277 openssl-ikev1/ecdsa-certs: pre..test..post
[ ok ] 278 openssl-ikev2/alg-aes-gcm: pre..test..post
[ ok ] 279 openssl-ikev2/alg-blowfish: pre..test..post
[ ok ] 280 openssl-ikev2/alg-camellia: pre..test..post
[ ok ] 281 openssl-ikev2/alg-ecp-brainpool-high: pre..test..post
[ ok ] 282 openssl-ikev2/alg-ecp-brainpool-low: pre..test..post
[ ok ] 283 openssl-ikev2/alg-ecp-high: pre..test..post
[ ok ] 284 openssl-ikev2/alg-ecp-low: pre..test..post
[ ok ] 285 openssl-ikev2/critical-extension: pre..test..post
[ ok ] 286 openssl-ikev2/ecdsa-certs: pre..test..post
[ ok ] 287 openssl-ikev2/ecdsa-pkcs8: pre..test..post
[ ok ] 288 openssl-ikev2/net2net-pgp-v3: pre..test..post
[ ok ] 289 openssl-ikev2/net2net-pkcs12: pre..test..post
[ ok ] 290 openssl-ikev2/rw-cert: pre..test..post
[ ok ] 291 openssl-ikev2/rw-eap-tls-only: pre..test..post
[ ok ] 292 openssl-ikev2/rw-suite-b-128: pre..test..post
[ ok ] 293 openssl-ikev2/rw-suite-b-192: pre..test..post
[ ok ] 294 p2pnat/behind-same-nat: pre..test..post
[ ok ] 295 p2pnat/medsrv-psk: pre..test..post
[ ok ] 296 pfkey/alg-aes-xcbc: pre..test..post
[ ok ] 297 pfkey/alg-sha384: pre..test..post
[ ok ] 298 pfkey/alg-sha512: pre..test..post
[ ok ] 299 pfkey/compress: pre..test..post
[ ok ] 300 pfkey/esp-alg-null: pre..test..post
[ ok ] 301 pfkey/host2host-transport: pre..test..post
[ ok ] 302 pfkey/nat-rw: pre..test..post
[ ok ] 303 pfkey/net2net-rekey: pre..test..post
[ ok ] 304 pfkey/net2net-route: pre..test..post
[ ok ] 305 pfkey/protoport-dual: pre..test..post
[ ok ] 306 pfkey/protoport-route: pre..test..post
[ ok ] 307 pfkey/rw-cert: pre..test..post
[ ok ] 308 pfkey/shunt-policies-nat-rw: pre..test..post
[ ok ] 309 sql/ip-pool-db: pre..test..post
[ ok ] 310 sql/ip-pool-db-expired: pre..test..post
[ ok ] 311 sql/ip-pool-db-restart: pre..test..post
[ ok ] 312 sql/ip-split-pools-db: pre..test..post
[ ok ] 313 sql/ip-split-pools-db-restart: pre..test..post
[ ok ] 314 sql/multi-level-ca: pre..test..post
[ ok ] 315 sql/net2net-cert: pre..test..post
[ ok ] 316 sql/net2net-psk: pre..test..post
[ ok ] 317 sql/net2net-route-pem: pre..test..post
[ ok ] 318 sql/net2net-start-pem: pre..test..post
[ ok ] 319 sql/rw-cert: pre..test..post
[ ok ] 320 sql/rw-eap-aka-rsa: pre..test..post
[ ok ] 321 sql/rw-psk-ipv4: pre..test..post
[ ok ] 322 sql/rw-psk-ipv6: pre..test..post
[ ok ] 323 sql/rw-psk-rsa-split: pre..test..post
[ ok ] 324 sql/rw-rsa: pre..test..post
[ ok ] 325 sql/rw-rsa-keyid: pre..test..post
[ ok ] 326 sql/shunt-policies-nat-rw: pre..test..post
[ ok ] 327 swanctl/config-payload: pre..test..post
[ ok ] 328 swanctl/crl-to-cache: pre..test..post
[ ok ] 329 swanctl/dhcp-dynamic: pre..test..post
[ ok ] 330 swanctl/frags-ipv4: pre..test..post
[ ok ] 331 swanctl/frags-ipv6: pre..test..post
[ ok ] 332 swanctl/ip-pool: pre..test..post
[ ok ] 333 swanctl/ip-pool-db: pre..test..post
[ ok ] 334 swanctl/manual-prio: pre..test..post
[ ok ] 335 swanctl/mult-auth-rsa-eap-sim-id: pre..test..post
[ ok ] 336 swanctl/multi-level-ca: pre..test..post
[ ok ] 337 swanctl/net2net-cert: pre..test..post
[ ok ] 338 swanctl/net2net-ed25519: pre..test..post
[ ok ] 339 swanctl/net2net-gw: pre..test..post
[ ok ] 340 swanctl/net2net-multicast: pre..test..post
[ ok ] 341 swanctl/net2net-pubkey: pre..test..post
[ ok ] 342 swanctl/net2net-route: pre..test..post
[ ok ] 343 swanctl/net2net-sha3-rsa-cert: pre..test..post
[ ok ] 344 swanctl/net2net-start: pre..test..post
[ ok ] 345 swanctl/ocsp-disabled: pre..test..post
[ ok ] 346 swanctl/ocsp-multi-level: pre..test..post
[ ok ] 347 swanctl/ocsp-signer-cert: pre..test..post
[ ok ] 348 swanctl/protoport-dual: pre..test..post
[ ok ] 349 swanctl/protoport-range: pre..test..post
[ ok ] 350 swanctl/rw-cert: pre..test..post
[ ok ] 351 swanctl/rw-cert-pss: pre..test..post
[ ok ] 352 swanctl/rw-dnssec: pre..test..post
[ ok ] 353 swanctl/rw-eap-aka-sql-rsa: pre..test..post
[ ok ] 354 swanctl/rw-eap-md5-id-rsa: pre..test..post
[ ok ] 355 swanctl/rw-eap-tls-sha3-rsa: pre..test..post
[ ok ] 356 swanctl/rw-hash-and-url: pre..test..post
[ ok ] 357 swanctl/rw-multi-ciphers-ikev1: pre..test..post
[ ok ] 358 swanctl/rw-newhope-bliss: pre..test..post
[ ok ] 359 swanctl/rw-ntru-bliss: pre..test..post
[ ok ] 360 swanctl/rw-psk-fqdn: pre..test..post
[ ok ] 361 swanctl/rw-psk-ikev1: pre..test..post
[ ok ] 362 swanctl/rw-psk-ipv4: pre..test..post
[ ok ] 363 swanctl/rw-pubkey-anon: pre..test..post
[ ok ] 364 swanctl/rw-pubkey-keyid: pre..test..post
[ ok ] 365 swanctl/shunt-policies-nat-rw: pre..test..post
[ ok ] 366 swanctl/xauth-rsa: pre..test..post
[ ok ] 367 tkm/host2host-initiator: pre..test..post
[ ok ] 368 tkm/host2host-responder: pre..test..post
[ ok ] 369 tkm/host2host-xfrmproxy: pre..test..post
[ ok ] 370 tkm/multiple-clients: pre..test..post
[ ok ] 371 tkm/net2net-initiator: pre..test..post
[ ok ] 372 tkm/net2net-xfrmproxy: pre..test..post
[ ok ] 373 tkm/xfrmproxy-expire: pre..test..post
[ ok ] 374 tkm/xfrmproxy-rekey: pre..test..post
[ ok ] 375 tnc/tnccs-11: pre..test..post
[ ok ] 376 tnc/tnccs-11-fhh: pre..test..post
[ ok ] 377 tnc/tnccs-11-radius: pre..test..post
[ ok ] 378 tnc/tnccs-11-radius-block: pre..test..post
[FAIL] 379 tnc/tnccs-11-radius-pts: pre..test..post
[ ok ] 380 tnc/tnccs-11-supplicant: pre..test..post
[ ok ] 381 tnc/tnccs-20: pre..test..post
[ ok ] 382 tnc/tnccs-20-block: pre..test..post
[ ok ] 383 tnc/tnccs-20-client-retry: pre..test..post
[FAIL] 384 tnc/tnccs-20-ev-pt-tls: pre..test..post
[ ok ] 385 tnc/tnccs-20-fail-init: pre..test..post
[ ok ] 386 tnc/tnccs-20-fail-resp: pre..test..post
[ ok ] 387 tnc/tnccs-20-fhh: pre..test..post
[ ok ] 388 tnc/tnccs-20-hcd-eap: pre..test..post
[ ok ] 389 tnc/tnccs-20-mutual-eap: pre..test..post
[ ok ] 390 tnc/tnccs-20-mutual-eap-fail: pre..test..post
[ ok ] 391 tnc/tnccs-20-mutual-pt-tls: pre..test..post
[FAIL] 392 tnc/tnccs-20-nea-pt-tls: pre..test..post
[FAIL] 393 tnc/tnccs-20-os: pre..test..post
[FAIL] 394 tnc/tnccs-20-os-pts: pre..test..post
[FAIL] 395 tnc/tnccs-20-pdp-eap: pre..test..post
[FAIL] 396 tnc/tnccs-20-pdp-pt-tls: pre..test..post
[ ok ] 397 tnc/tnccs-20-pts: pre..test..post
[FAIL] 398 tnc/tnccs-20-pts-no-ecc: pre..test..post
[ ok ] 399 tnc/tnccs-20-server-retry: pre..test..post
[ ok ] 400 tnc/tnccs-20-tls: pre..test..post
[ ok ] 401 tnc/tnccs-dynamic: pre..test..post
Passed : 393
Failed : 8
The 8 failures are exclusively in the TNC section and also fail for the unpatched strongswan (5.6.3dr3), thus I'm quite sure they do not have to do anything with the suggested patch.
To make sure the correct version is deployed on all hosts:
for pair in "alice 10.1.0.10" "venus 10.1.0.20" "moon 10.1.0.1" "bob 10.2.0.10" "carol 192.168.0.100" "winnetou 192.168.0.150" "dave 192.168.0.200"; do host=($pair); printf "${host[0]}: "; ssh -c arcfour -o StrictHostKeyChecking=no root@${host[1]} "ipsec --version" 2>/dev/null | head -n 1; done
alice: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
venus: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
moon: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
bob: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
carol: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
winnetou: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
dave: Linux strongSwan U5.6.2dr3/K4.9.68(psk_lookup_patch)
Conclusion¶
Please comment on the suggested changes and if your are willing to apply them upstream. I could also assemble a PR if that's preferred make changes to the structure of the patch. I guess I could also try to setup a test scenario for the given configuration (and probably the one mentioned in #2223).
stroke: Don't ignore %any as owner of shared secrets
If users want to associate secrets with any identity, let 'em. This is
also possible with vici and might help if e.g. the remote identity is
actually %any as that would match a PSK with local IP and %any better
than one with local and different remote IP.
Fixes #2497.