Project

General

Profile

Issue #3449

ipsec seems to corrupt packets

Added by Julien MORCRET 4 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.7.2
Resolution:

Description

Hi everyone,

I have a functionnal strongswan server with Windows 10 clients.

Clients are in a domain and the account is often disabled by Active Directory because of malformed packet during authentication (by windows or some other software which use AD authentication).
This issue doesn't appears at specific time, and there aren't specific period between two locks.

The issue is on 2 different computer with 2 different account.

Here is a packet capture (done on the server) related to the information given by the event viewer (security tab) : [[https://ibb.co/LtcYP7z]]
128.210 is the client, 128.23 is the AD

Here is the event related to this transmission : (regarding Microsoft documentations, this error could appears when many authentication packets are corrupted, and then, the account is locked)

La pré-authentification Kerberos a échoué. *(pre-authentication has failed)*

Informations sur le compte :
    ID de sécurité :        DOMAIN\username
    Nom du compte :        username

Informations sur le service :
    Nom du service :        krbtgt/DOMAIN.FR

Informations sur le réseau :
    Adresse du client :        ::ffff:XXX.XXX.128.210
    Port client :        52932

Informations supplémentaires :
    Options du ticket :        0x40810010
    Code d’échec :        0x12
    Type de pré-authentification :    0

Until now, it seems Linux clients don't be affected by this issue.

If Windows users use a different VPN (like OpenVPN) the issue never appears.
So my only clues are, for now, it affects Windows 10 clients with native connector to ipsec.

Here is the server side configuration for windows connection :

# Default configuration
conn %default
    auto="route" 
    eap_identity="%identity" 
    forceencaps="yes" 
    keyexchange="ikev2" 
    leftauth="pubkey" 
    leftcert="/etc/pki/tls/certs/cert.crt" 
    leftfirewall="yes" 
    leftid="server.domain.fr" 
    leftsendcert="always" 
    leftsubnet="XXX.XXX.0.0/16,YYY.YYY.YYY.YYY/24,ZZZ.ZZZ.ZZZ.ZZZ/16" 
    lifetime="8h" 
    mobike="yes" 
    right="%any" 
    rightauth="eap-mschapv2" 
    rightsourceip="%dhcp" 

conn conn-windows
    esp=aes256-sha1!
    ike=aes256-sha384-modp1024!

Does someone has an idea for the source of this issue ?
If you need more informations, tell me.

Thanks in advance.
Best regards

History

#1 Updated by Tobias Brunner 4 months ago

  • Status changed from New to Feedback

Sorry, no idea. What I don't understand is that you say there is an authentication and blockage via AD, however, you configured rightauth="eap-mschapv2", which means clients are authenticated by strongSwan and not a RADIUS server. So how exactly is AD/RADIUS involved here?

#2 Updated by Tobias Brunner 4 months ago

Or does this concern later packets transported via IPsec/ESP? That is, does this affect users authenticating to file shares? If so, you might want to contact Microsoft.

#3 Updated by Julien MORCRET 4 months ago

Tobias Brunner wrote:

Sorry, no idea. What I don't understand is that you say there is an authentication and blockage via AD, however, you configured rightauth="eap-mschapv2", which means clients are authenticated by strongSwan and not a RADIUS server. So how exactly is AD/RADIUS involved here?

I didn't explain properly sorry.
When I say "authentication", I mean authentication of software (owncloud or anything else) or for shared folders which need authentication.

I think this issue doesn't affect only authentication but it well reveals the situation.

Maybe there are a misconfiguration in my server side which is affects packets ?
Does Strongswan needs any specific requirements ?

Thanks for your answers

#4 Updated by Tobias Brunner 4 months ago

Maybe there are a misconfiguration in my server side which is affects packets ?
Does Strongswan needs any specific requirements ?

To not corrupt ESP packets? No.

Also available in: Atom PDF