[strongSwan-dev] Error "peer selected invalid traffic selectors"

Wed, 06 Mar 2013 16:40:37 -0800 

I have been playing around with connecting strongswan 5.0.2 to a
Cisco 5505 firewall (in this case IKEv1, PSK).  I ended up with
the error "peer selected invalid traffic selectors", which I
tracked down to the tsi of the Cisco peer not returning a port
number in its reply.  Using the patch below, I was able to
accommodate this omission.  Does this seem like a reasonable change,
perhaps behind a configuration flag?

--- strongswan-5.0.2/src/libcharon/sa/ikev1/tasks/quick_mode.c.orig     
2013-03-05 23:26:50.764163376 -0800
+++ strongswan-5.0.2/src/libcharon/sa/ikev1/tasks/quick_mode.c  2013-03-06 
16:18:39.281869103 -0800
@@ -529,6 +529,45 @@
        }
 }
 
+static bool lenient_tsi_compare(private_quick_mode_t *this,
+                               traffic_selector_t **tsi_p)
+{
+       traffic_selector_t *tsi = *tsi_p;
+       bool ret = tsi->is_contained_in(tsi, this->tsi);
+
+       if (!ret && tsi->get_from_port(tsi) == 0 &&
+            tsi->get_to_port(tsi) == 65535) {
+               /*
+                * One more chance -- in some installations the
+                * remote omits the port argument of the proposal.
+                * While this violates the "is_contained_in" test
+                * above, it shouldn't be an error.  See if adopting
+                * our port values works.  If it does, replace the
+                * caller's traffic selector with this more
+                * restrictive value.
+                */
+               traffic_selector_t *test_tsi =
+                       traffic_selector_create_from_bytes(
+                               tsi->get_protocol(tsi),
+                               tsi->get_type(tsi),
+                               tsi->get_from_address(tsi),
+                               this->tsi->get_from_port(this->tsi),
+                               tsi->get_to_address(tsi),
+                               this->tsi->get_to_port(this->tsi));
+               ret = test_tsi->is_contained_in(test_tsi, this->tsi);
+               if (ret) {
+                       DBG2(DBG_IKE, "Remote TSI (%R) did not specify port "
+                            "numbers.  Using our local settings to form %R.",
+                            tsi, test_tsi, ret);
+                       tsi->destroy(tsi);
+                       *tsi_p = test_tsi;
+               } else {
+                       test_tsi->destroy(test_tsi);
+               }
+       }
+       return ret;
+}
+
 /**
  * Get traffic selectors from received message
  */
@@ -596,7 +635,7 @@
        {
                /* check if peer selection is valid */
                if (!tsr->is_contained_in(tsr, this->tsr) ||
-                       !tsi->is_contained_in(tsi, this->tsi))
+                       !lenient_tsi_compare(this, &tsi))
                {
                        DBG1(DBG_IKE, "peer selected invalid traffic selectors: 
"
                                 "%R for %R, %R for %R", tsi, this->tsi, tsr, 
this->tsr);


_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to