Bug 203308 - wildcard patch in security/ipsec-tools breaks aggressive tunnels
Summary: wildcard patch in security/ipsec-tools breaks aggressive tunnels
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Eugene Grosbein
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-24 12:19 UTC by andywhite
Modified: 2019-07-01 04:51 UTC (History)
4 users (show)

See Also:
pi: maintainer-feedback-


Attachments
patch to fix aggressive mode tunnels with PSK (1.02 KB, patch)
2015-09-24 23:44 UTC, andywhite
no flags Details | Diff
patch (2.92 KB, patch)
2015-09-26 11:14 UTC, Kurt Jaeger
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description andywhite 2015-09-24 12:19:05 UTC
see Bug 196930

the wildcard patch (required for l2tp etc) breaks aggressive mode tunnels.  changing the tunnels to main mode resolves the problem.  

with patch applied but no wildcard in the psk file

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500] spi:78e9f4efeaccc1a8:949caf456c915321
racoon: INFO: initiate new phase 2 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113)
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a)


adding a wildcard to the psk, no other configuration change

racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947
racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: NAT not detected
racoon: ERROR: HASH mismatched
Comment 1 andywhite 2015-09-24 23:44:49 UTC
Created attachment 161355 [details]
patch to fix aggressive mode tunnels with PSK

wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

This patch checks if the identity type is and ADDR and if it is, uses a sockaddr struct to call the getpskbyaddr function instead of getpskbyname.
Comment 2 andywhite 2015-09-24 23:48:30 UTC
log now looks like this with a wildcard entry.

Note that "NOTIFY: couldn't find the proper pskey, try to get one by the peer's address." entry is not displayed anymore in the log, as was previously.

racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=222490682(0xd42f03a)
racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=114112937(0x6cd39a9)
racoon: INFO: initiate new phase 2 negotiation: X.X.255.166[500]<=>X.X.255.164[500]
racoon: INFO: ISAKMP-SA established X.X.255.166[500]-X.X.255.164[500] spi:e44202367c108922:e6b336ca8ab4a244
racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2
racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: INFO: NAT not detected
racoon: INFO: NAT-D payload #0 verified
racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2
racoon: INFO: NAT-D payload #-1 verified
racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2
racoon: [X.X.255.164] INFO: Selected NAT-T version: RFC 3947
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: begin Aggressive mode.
racoon: INFO: initiate new phase 1 negotiation: X.X.255.166[500]<=>X.X.255.164[500]
racoon: INFO: IPsec-SA request for X.X.255.164 queued due to no phase1 found.
Comment 3 Kurt Jaeger freebsd_committer 2015-09-26 11:14:25 UTC
Created attachment 161414 [details]
patch

Patch formatted to easily apply to the port.
Comment 4 Walter Schwarzenfeld freebsd_triage 2018-01-17 09:39:07 UTC
Is this still relevant?
Comment 5 Kurt Jaeger freebsd_committer 2018-02-06 18:16:31 UTC
yes, needs run-test.
Comment 6 andywhite 2019-07-01 02:02:18 UTC
would be nice if this patch was added to the port
Comment 7 Eugene Grosbein freebsd_committer 2019-07-01 03:40:16 UTC
Re-set Assignee due to long inactivity period.
Comment 8 commit-hook freebsd_committer 2019-07-01 04:50:17 UTC
A commit references this bug:

Author: eugen
Date: Mon Jul  1 04:49:33 UTC 2019
New revision: 505537
URL: https://svnweb.freebsd.org/changeset/ports/505537

Log:
  security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config

  Wilcard patch exposures existing bug where agressive tunnels using ip addresses
  for identification were not matching the entry in the PSK file,
  due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

  PR:		203308
  Submitted by:	andywhite@gmail.com (based on)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff
Comment 9 Eugene Grosbein freebsd_committer 2019-07-01 04:51:35 UTC
Committed, thank you for sumbission.