Issue #2705
Strongswan doesnt send CP in Create_Child_Sa
Description
Hi,
We have a requirement to send configuration payload in create child sa, But strwongswan doesnt send even when leftsource ip is correctly specified, These are the steps
Strongswan as Inititor:
1) Configure strongwan with unsupported esp algorithms , observe IKE_SA gets established
conn pluto
left=192.168.83.83
leftprotoport=%any
leftsourceip=%config
leftauth=psk
leftid=1234567890123456
eap_identity=1234567890123456
keyingtries=2
leftsubnet=20.2.0.0/16
right=192.168.107.170
rightid=%any
rightsubnet=172.16.16.1/16
rightauth=%any
auto=add
ike=aes-sha1-md5-modp1024
esp=blowfish-sha1-md5-modp1024!
keyexchange=ikev2
ikelifetime=3700s
type=tunnel
lifetime=600s
margintime=1s
rekey=yes
dpddelay=60s
dpdaction=restart
modeconfig=pull
2) After step 1, NO_PROPOSAL_CHOSEN is observed
Now esp is modified to "esp=aes-sha1-md5-modp1024 "
Reload, Reestablish tunnel. Observe Create_Childsa request is sent with out configuration payload.
could you please let us kow how to send CP in Create_ChildSa request
Thanks,
Ravisankar
Related issues
History
#1 Updated by Tobias Brunner about 7 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
could you please let us kow how to send CP in Create_ChildSa request
strongSwan does not support CP during CREATE_CHILD_SA (or INFORMATIONAL) exchanges. It treats configuration attributes as properties of the IKE_SA (not individual CHILD_SAs) and these are negotiated during IKE_AUTH.
Now esp is modified to "esp=aes-sha1-md5-modp1024 "
Reload, Reestablish tunnel. Observe Create_Childsa request is sent with out configuration payload.
Why should changing the ESP proposal have any effect on CPs anyway?
#2 Updated by Ravisankar Jampani about 7 years ago
Thanks for the quick reply, We have done this to verify the behavior of the server in these two scenarios
1) After NO_PROPOSAL_CHOSEN , we are trying to create first IPSEC SA through Create_Child_SA exchange(Not rekey)
2) As per RFC , sending CP in CREATE_CHILD_SA is supported. So we thought of verifying the same
Thanks,
Ravisankar
#3 Updated by Tobias Brunner about 7 years ago
1) After NO_PROPOSAL_CHOSEN , we are trying to create first IPSEC SA through Create_Child_SA exchange(Not rekey)
Why does that require additional CP? Or does it not return any CP in IKE_AUTH if no CHILD_SA was created? If so, you'll have to tear down the IKE_SA and start from scratch (you could enable charon.close_ike_on_child_failure to close the IKE_SA automatically if no CHILD_SA was created with IKE_AUTH).
2) As per RFC , sending CP in CREATE_CHILD_SA is supported. So we thought of verifying the same
Theoretically yes, but I'm not aware of any implementation that supports this. The RFC also states in section 2.19.:
A request for such a temporary address can be included in
any request to create a Child SA (including the implicit request in
message 3) by including a CP payload. Note, however, it is usual to
only assign one IP address during the IKE_AUTH exchange. That
address persists at least until the deletion of the IKE SA.
#4 Updated by Ravisankar Jampani about 7 years ago
Thanks for the explanation.
Thanks,
Ravisankar
#5 Updated by Tobias Brunner almost 7 years ago
- Related to Issue #2790: Multiple Phase 2 over Phase1 connections in Remote Access scenarios added
#6 Updated by Tobias Brunner over 6 years ago
- Category set to libcharon
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required