see Bug 196930 the wildcard patch (required for l2tp etc) breaks aggressive mode tunnels. changing the tunnels to main mode resolves the problem. with patch applied but no wildcard in the psk file racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: INFO: NAT-D payload #0 verified racoon: INFO: NAT not detected racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. racoon: INFO: Adding remote and local NAT-D payloads. racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500] spi:78e9f4efeaccc1a8:949caf456c915321 racoon: INFO: initiate new phase 2 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113) racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a) adding a wildcard to the psk, no other configuration change racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: INFO: NAT-D payload #0 verified racoon: INFO: NAT not detected racoon: ERROR: HASH mismatched
Created attachment 161355 [details] patch to fix aggressive mode tunnels with PSK wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation. This patch checks if the identity type is and ADDR and if it is, uses a sockaddr struct to call the getpskbyaddr function instead of getpskbyname.
log now looks like this with a wildcard entry. Note that "NOTIFY: couldn't find the proper pskey, try to get one by the peer's address." entry is not displayed anymore in the log, as was previously. racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=222490682(0xd42f03a) racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=114112937(0x6cd39a9) racoon: INFO: initiate new phase 2 negotiation: X.X.255.166[500]<=>X.X.255.164[500] racoon: INFO: ISAKMP-SA established X.X.255.166[500]-X.X.255.164[500] spi:e44202367c108922:e6b336ca8ab4a244 racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2 racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2 racoon: INFO: Adding remote and local NAT-D payloads. racoon: INFO: NAT not detected racoon: INFO: NAT-D payload #0 verified racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2 racoon: [X.X.255.164] INFO: Selected NAT-T version: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: begin Aggressive mode. racoon: INFO: initiate new phase 1 negotiation: X.X.255.166[500]<=>X.X.255.164[500] racoon: INFO: IPsec-SA request for X.X.255.164 queued due to no phase1 found.
Created attachment 161414 [details] patch Patch formatted to easily apply to the port.
Is this still relevant?
yes, needs run-test.
would be nice if this patch was added to the port
Re-set Assignee due to long inactivity period.
A commit references this bug: Author: eugen Date: Mon Jul 1 04:49:33 UTC 2019 New revision: 505537 URL: https://svnweb.freebsd.org/changeset/ports/505537 Log: security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config Wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation. PR: 203308 Submitted by: andywhite@gmail.com (based on) Changes: head/security/ipsec-tools/Makefile head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff
Committed, thank you for sumbission.