IPSEC/ISAKMPD routing question

Mon, 10 Jan 2011 06:20:47 -0800 

Hello,

I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:

ike active esp tunnel from <my_internal_net> to <his_internal_net> peer
<his_gateway_address> <main_mode_parameters> <quick_mode_parameters>
<preshared_key>

My isakmpd.policy file is

# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";


Every thing works fine.

But today, one of the remote_gateways was replaced by a misconfigured
new one, leading to the following phase-2 packet:

13:29:01.098526 <remote_gateway_ip>.500 > <my_gateway_ip>.500: [udp sum
ok] isakmp v1.0 exchange QUICK_MODE
        cookie: 70de03ee348066c9->76aabe706bed52c2 msgid: 301c68c8 len:
300
        payload: HASH len: 24
        payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xcb2d2b94
                payload: TRANSFORM len: 32
                    transform: 1 ID: AES
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 28800
                        attribute ENCAPSULATION_MODE = TUNNEL
                        attribute KEY_LENGTH = 128
                        attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
                        attribute GROUP_DESCRIPTION = 2
        payload: NONCE len: 20
        payload: KEY_EXCH len: 132
        payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
        payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
[ttl 0] (id 1, len 328)


Please note that both ID parameters in this packet are 0.0.0.0.

This lead to a routing entry ( made by isakmpd, I suppose ):
# netstat -rn | grep his_ip
default            0     default            0     0
<remote_gateway_ip>/esp/use/in
default            0     default            0     0
<remote_gateway_ip>/esp/require/out

This route virtually disconnected my gateway from the external and from
the internal network, no ping to any address was successful.

I would like to ask:

1. Is it true, that isakmpd is supposed to accept any ID parameter of
type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
even when it is the 'default' route?

2. What would I have to change to only accept those remote network Ids
that are configured in ipsec.conf?

Thanks

Reply via email to