Bug 203308

Summary:

wildcard patch in security/ipsec-tools breaks aggressive tunnels

Product:

Ports & Packages

Reporter:

andywhite

Component:

Individual Port(s)

Assignee:

Eugene Grosbein <eugen>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

andywhite, eugen, pi, w.schwarzenfeld

Priority:

---

Flags:

pi: maintainer-feedback-

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch to fix aggressive mode tunnels with PSK	none
patch	none

Description andywhite 2015-09-24 12:19:05 UTC

see Bug 196930

the wildcard patch (required for l2tp etc) breaks aggressive mode tunnels.  changing the tunnels to main mode resolves the problem.  

with patch applied but no wildcard in the psk file

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500] spi:78e9f4efeaccc1a8:949caf456c915321
racoon: INFO: initiate new phase 2 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113)
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a)


adding a wildcard to the psk, no other configuration change

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: ERROR: HASH mismatched

Comment 1 andywhite 2015-09-24 23:44:49 UTC

Created attachment 161355 [details]
patch to fix aggressive mode tunnels with PSK

wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

This patch checks if the identity type is and ADDR and if it is, uses a sockaddr struct to call the getpskbyaddr function instead of getpskbyname.

Comment 2 andywhite 2015-09-24 23:48:30 UTC

log now looks like this with a wildcard entry.

Note that "NOTIFY: couldn't find the proper pskey, try to get one by the peer's address." entry is not displayed anymore in the log, as was previously.

racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=222490682(0xd42f03a)
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=114112937(0x6cd39a9)
racoon: INFO: initiate new phase 2 negotiation: X.X.255.166[500]<=>X.X.255.164[500]
racoon: INFO: ISAKMP-SA established X.X.255.166[500]-X.X.255.164[500] spi:e44202367c108922:e6b336ca8ab4a244
racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2
racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: INFO: NAT not detected
racoon: INFO: NAT-D payload #0 verified
racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2
racoon: [X.X.255.164] INFO: Selected NAT-T version: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: begin Aggressive mode.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.166[500]<=>X.X.255.164[500]
racoon: INFO: IPsec-SA request for X.X.255.164 queued due to no phase1 found.

Comment 3 Kurt Jaeger freebsd_committer

2015-09-26 11:14:25 UTC

Created attachment 161414 [details]
patch

Patch formatted to easily apply to the port.

Comment 4 Walter Schwarzenfeld freebsd_triage

2018-01-17 09:39:07 UTC

Is this still relevant?

Comment 5 Kurt Jaeger freebsd_committer

2018-02-06 18:16:31 UTC

yes, needs run-test.

Comment 6 andywhite 2019-07-01 02:02:18 UTC

would be nice if this patch was added to the port

Comment 7 Eugene Grosbein freebsd_committer

2019-07-01 03:40:16 UTC

Re-set Assignee due to long inactivity period.

Comment 8 commit-hook freebsd_committer

2019-07-01 04:50:17 UTC

A commit references this bug:

Author: eugen
Date: Mon Jul  1 04:49:33 UTC 2019
New revision: 505537
URL: https://svnweb.freebsd.org/changeset/ports/505537

Log:
  security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config

  Wilcard patch exposures existing bug where agressive tunnels using ip addresses
  for identification were not matching the entry in the PSK file,
  due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

  PR:		203308
  Submitted by:	andywhite@gmail.com (based on)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff

Comment 9 Eugene Grosbein freebsd_committer

2019-07-01 04:51:35 UTC

Committed, thank you for sumbission.