Hi, I have been trying to run the ipv6ready IKEv2_Self_Test against strongSwan on SLES 11 SP1, as part of our preparation for the USGv6 certification. I have encountered numerous problems. Below, I am listing a few examples where I manged to pinpoint the problem.
The problem always turned out to be in the IKEv2 test scripts, not strongSwan. Unfortunately, the IKEv2_Self_Test is part of the USGv6 test specifications: http://w3.antd.nist.gov/usgv6/test-specifications.html http://w3.antd.nist.gov/usgv6/TSTs/IKEv2_v1.0_C.html The current (and also mandated by USGv6) version of the test tool is 1.0.3. Since then, a new (v1.1.0) ipv6ready IKEv2 test specification has been published: http://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf However, the test tool is not yet (publicly?) available. The first problem I actually debugged turned to be an issue already known to the ipv6ready guys. The tests get confused by strongSwan obeying: "initiator SHOULD include as the first traffic selector in each of TSi and TSr a very specific traffic selector including the addresses in the packet triggering the request." [RFC 4306]. See http://www.tahi.org/users/mail-list/201005.month/1691.html strongSwan does this sice commit a13c013b. I reverted that for further testing. The new v1.1.0 test specification has removed many of the test cases that I see failing in the 1.0.3 version (good! the ones I looked into fail for totally bogus reasons). I list all the failures below, the tests removed in v1.1.0 are marked with an asterisk: 12 * Test IKEv2.EN.I.1.1.3.4: Close Connection when receiving INITIAL_CONTACT 13 * Test IKEv2.EN.I.1.1.3.5: Sending Liveness check 14 Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA 15 * Test IKEv2.EN.I.1.1.3.7: Sending Delete Payload for CHILD_SA 16 * Test IKEv2.EN.I.1.1.3.8: Sending Liveness check with unprotected messages 17 Test IKEv2.EN.I.1.1.4.1 Part A: Invalid payload type 1 18 Test IKEv2.EN.I.1.1.4.1 Part B: Invalid payload type 32 19 Test IKEv2.EN.I.1.1.4.1 Part C: Invalid payload type 49 20 Test IKEv2.EN.I.1.1.4.1 Part D: Invalid payload type 255 21 Test IKEv2.EN.I.1.1.4.2 Part A: Invalid payload type 1 22 Test IKEv2.EN.I.1.1.4.2 Part B: Invalid payload type 32 23 Test IKEv2.EN.I.1.1.4.2 Part C: Invalid payload type 49 24 Test IKEv2.EN.I.1.1.4.2 Part D: Invalid payload type 255 26 Test IKEv2.EN.I.1.1.5.2: Interaction of COOKIE and INVALID_KE_PAYLOAD 27 Test IKEv2.EN.I.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Responder 28 Test IKEv2.EN.I.1.1.6.1 Part A: Encryption Algorithm ENCR_AES_CBC 29 * Test IKEv2.EN.I.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR 30 Test IKEv2.EN.I.1.1.6.1 Part C: Pseudo-random Function PRF_AES128_XCBC 31 Test IKEv2.EN.I.1.1.6.1 Part D: Integrity Algorithm AUTH_AES_XCBC_96 32 Test IKEv2.EN.I.1.1.6.1 Part E: D-H Group Group 14 33 Test IKEv2.EN.I.1.1.6.2 Part A: Encryption Algorithm ENCR_AES_CBC 34 Test IKEv2.EN.I.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR 35 Test IKEv2.EN.I.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL 36 Test IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 37 Test IKEv2.EN.I.1.1.6.2 Part E: Integrity Algorithm NONE 38 Test IKEv2.EN.I.1.1.6.2 Part F: Extended Sequence Numbers 39 Test IKEv2.EN.I.1.1.6.3 Part A: Multiple Encryption Algorithms 40 Test IKEv2.EN.I.1.1.6.3 Part B: Multiple Pseudo-random Functions 41 Test IKEv2.EN.I.1.1.6.3 Part C: Multiple Integrity Algorithms 42 Test IKEv2.EN.I.1.1.6.3 Part D: Multiple D-H Groups 44 Test IKEv2.EN.I.1.1.6.5 Part A: Multiple Encryption Algorithms 45 Test IKEv2.EN.I.1.1.6.5 Part B: Multiple Integrity Algorithms 46 Test IKEv2.EN.I.1.1.6.5 Part C: Multiple Extended Sequence Numbers 47 Test IKEv2.EN.I.1.1.6.6: Sending Multiple Proposals 48 Test IKEv2.EN.I.1.1.6.7: Receipt of INVALID_KE_PAYLOAD 49 * Test IKEv2.EN.I.1.1.6.8: Receipt of NO_PROPOSAL_CHOSEN 50 Test IKEv2.EN.I.1.1.6.9: Response with inconsistent SA Proposal for IKE_SA 52 Test IKEv2.EN.I.1.1.6.11 Part A: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD 53 Test IKEv2.EN.I.1.1.6.11 Part B: Receiving IKE_SA_INIT response with INVALID_KE_PAYLOAD 54 Test IKEv2.EN.I.1.1.6.12: Creating an IKE_SA without a CHILD_SA 55 Test IKEv2.EN.I.1.1.7.1: Narrowing the range of members of the set of traffic selectors 56 * Test IKEv2.EN.I.1.1.8.1 Part A: INVALID_IKE_SPI Different IKE_SA Initiator's SPI 57 * Test IKEv2.EN.I.1.1.8.1 Part B: INVALID_IKE_SPI Different IKE_SA Responder's SPI 58 * Test IKEv2.EN.I.1.1.8.2: INVALID_SELECTORS 59 Test IKEv2.EN.I.1.1.10.1: Sending Certificate Payload 60 Test IKEv2.EN.I.1.1.10.2: Sending Certificate Request Payload 61 Test IKEv2.EN.I.1.1.10.3: RSA Digital Signature 64 Test IKEv2.EN.I.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response 66 Test IKEv2.EN.I.1.1.11.4: Unrecognized Notify Message Type of Error 68 Test IKEv2.EN.I.1.2.1.1: Sending CREATE_CHILD_SA request 69 Test IKEv2.EN.I.1.2.2.1: Retransmission of CREATE_CHILD_SA request 70 Test IKEv2.EN.I.1.2.2.2: Stop of retransmission of CREATE_CHILD_SA request 71 Test IKEv2.EN.I.1.2.3.1: Close the replaced CHILD_SA 72 Test IKEv2.EN.I.1.2.3.2: Receipt of cryptographically valid message on the new SA 73 Test IKEv2.EN.I.1.2.3.3: Lifetime of CHILD_SA expires 74 Test IKEv2.EN.I.1.2.3.4 Part A: Sending Multiple Transform for Rekeying CHILD_SA 75 Test IKEv2.EN.I.1.2.3.4 Part B: Sending Multiple Transform for Rekeying CHILD_SA 76 Test IKEv2.EN.I.1.2.3.4 Part C: Sending Multiple Transform for Rekeying CHILD_SA 77 Test IKEv2.EN.I.1.2.3.5: Sending Multiple Proposal for Rekeying CHILD_SA 78 Test IKEv2.EN.I.1.2.3.6: Rekeying Failure 79 Test IKEv2.EN.I.1.2.3.7: Perfect Forward Secrecy 80 Test IKEv2.EN.I.1.2.3.8: Use of the old CHILD_SA 81 Test IKEv2.EN.I.1.2.4.1: Close the replaced IKE_SA 82 Test IKEv2.EN.I.1.2.4.2: Receipt of cryptographically valid message on the new IKE_SA 83 Test IKEv2.EN.I.1.2.4.3: Lifetime of IKE_SA expires 84 Test IKEv2.EN.I.1.2.4.4 Part A: Sending Multiple Transform for Rekeying IKE_SA 85 Test IKEv2.EN.I.1.2.4.4 Part B: Sending Multiple Transform for Rekeying IKE_SA 86 Test IKEv2.EN.I.1.2.4.4 Part C: Sending Multiple Transform for Rekeying IKE_SA 87 Test IKEv2.EN.I.1.2.4.4 Part D: Sending Multiple Transform for Rekeying IKE_SA 88 Test IKEv2.EN.I.1.2.4.5: Sending Multiple Proposal for Rekeying IKE_SA 89 Test IKEv2.EN.I.1.2.4.6: Use of the old IKE_SA 90 Test IKEv2.EN.I.1.2.4.7: Changing PRFs when rekeying IKE_SA 91 Test IKEv2.EN.I.1.2.5.1: Sending CREATE_CHILD_SA request 92 Test IKEv2.EN.I.1.2.5.2: Receipt of cryptographically valid message on the new SA 93 * Test IKEv2.EN.I.1.2.6.1: Simulataneous CHILD_SA Close 94 * Test IKEv2.EN.I.1.2.6.2: Simulataneous IKE_SA Close 95 Test IKEv2.EN.I.1.2.6.3: Simulataneous CHILD_SA Rekeying 96 Test IKEv2.EN.I.1.2.6.4: Simulataneous CHILD_SA Rekeying with retransmission 97 Test IKEv2.EN.I.1.2.6.5: Simulataneous IKE_SA Rekeying 98 Test IKEv2.EN.I.1.2.6.6: Simulataneous IKE_SA Rekeying with retransmission 99 * Test IKEv2.EN.I.1.2.6.7: Closing and Rekeying CHILD_SA 100 * Test IKEv2.EN.I.1.2.6.8: Closing a new CHILD_SA 101 * Test IKEv2.EN.I.1.2.6.9: Rekeying a new CHILD_SA 102 * Test IKEv2.EN.I.1.2.6.10: Rekeying an IKE_SA with half-open CHILD_SAs 103 * Test IKEv2.EN.I.1.2.6.11: Rekeying a CHILD_SA while rekeying an IKE_SA 104 * Test IKEv2.EN.I.1.2.6.12: Rekeying an IKE_SA with half-closed CHILD_SAs 105 * Test IKEv2.EN.I.1.2.6.13: Closing a CHILD_SA while rekeying an IKE_SA 106 * Test IKEv2.EN.I.1.2.6.14: Closing an IKE_SA while rekeying an IKE_SA 107 * Test IKEv2.EN.I.1.2.6.15: Rekeying an IKE_SA while closing the IKE_SA 108 Test IKEv2.EN.I.1.2.7.1: Non zero RESERVED fields in CREATE_CHILD_SA response 109 * Test IKEv2.EN.I.1.3.1.1: Sending INFORMATIONAL request 110 * Test IKEv2.EN.I.1.3.2.1: Retransmission of INFORMATIONAL request 111 * Test IKEv2.EN.I.1.3.2.2: Stop of retransmission of INFORMATIONAL request 112 * Test IKEv2.EN.I.1.3.3.1: Non zero RESERVED fields in INFORMATIONAL response 113 * Test IKEv2.EN.I.1.3.4.1: INVALID_SPI 116 Test IKEv2.EN.I.2.1.1.1: Sending IKE_AUTH request 117 Test IKEv2.EN.I.2.1.1.2: Use of CHILD_SA 118 Test IKEv2.EN.I.2.1.2.1: Sending CFG_REQUEST 119 Test IKEv2.EN.I.2.1.2.2: Receipt of CFG_REPLY 120 Test IKEv2.EN.I.2.1.2.3: Non zero RESERVED fileds in Configuration Payload 121 Test IKEv2.EN.I.2.1.2.4: Receiving IKE_AUTH response without CFG_REPLY 122 Test IKEv2.EN.I.2.1.2.5: Receiving unrecognized Configuration Attributes 132 * Test IKEv2.EN.R.1.1.3.3: Close Connections when receiving INITIAL_CONTACT 136 Test IKEv2.EN.R.1.1.4.1: Receipt of a larger minor version number 142 Test IKEv2.EN.R.1.1.4.4 Part A: Invalid payload type 1 143 Test IKEv2.EN.R.1.1.4.4 Part B: Invalid payload type 32 144 Test IKEv2.EN.R.1.1.4.4 Part C: Invalid payload type 49 145 Test IKEv2.EN.R.1.1.4.4 Part D: Invalid payload type 255 146 Test IKEv2.EN.R.1.1.4.5: Invalid Payload Order 147 * Test IKEv2.EN.R.1.1.5.1: Cookies 148 * Test IKEv2.EN.R.1.1.5.2: Invalid Cookies 149 * Test IKEv2.EN.R.1.1.5.3: Interaction of COOKIE and INVALID_KE_PAYLOAD 150 * Test IKEv2.EN.R.1.1.5.4: Interaction of COOKIE and INVALID_KE_PAYLOAD with unoptimized Initiator 152 * Test IKEv2.EN.R.1.1.6.1 Part B: Encryption Algorithm ENCR_AES_CTR 157 Test IKEv2.EN.R.1.1.6.2 Part B: Encryption Algorithm ENCR_AES_CTR 158 Test IKEv2.EN.R.1.1.6.2 Part C: Encryption Algorithm ENCR_NULL 159 Test IKEv2.EN.R.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 160 Test IKEv2.EN.R.1.1.6.2 Part E: Integrity Algorithm NONE 161 Test IKEv2.EN.R.1.1.6.2 Part F: Extended Sequence Number 176 Test IKEv2.EN.R.1.1.6.7: Sending of INVALID_KE_PAYLOAD 178 Test IKEv2.EN.R.1.1.6.9: Creating an IKE_SA without a CHILD_SA 179 Test IKEv2.EN.R.1.1.7.1: Narrowing the range of members of the set of traffic selectors 181 Test IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector 182 Test IKEv2.EN.R.1.1.8.1 Part A: Different IKE_SA Initiator's SPI 183 * Test IKEv2.EN.R.1.1.8.1 Part B: Different IKE_SA Responder's SPI 184 * Test IKEv2.EN.R.1.1.8.2: INVALID_SYNTAX 185 * Test IKEv2.EN.R.1.1.8.3: INVALID_SELECTORS 186 Test IKEv2.EN.R.1.1.10.1: Sending Certificate Payload 187 Test IKEv2.EN.R.1.1.10.2: Sending Certificate Request Payload 188 Test IKEv2.EN.R.1.1.10.3: RSA Digital Signature 191 Test IKEv2.EN.R.1.1.11.2: Non zero RESERVED fields in IKE_AUTH response 198 Test IKEv2.EN.R.1.2.3.1: Receiving Delete Payload for Multiple CHILD_SA 201 Test IKEv2.EN.R.1.2.5.2: Receipt of cryptographically protected message on the old SA and the new SA 209 Test IKEv2.EN.R.1.2.5.6: Use of the old CHILD_SA 212 Test IKEv2.EN.R.1.2.6.3: Use of the old IKE_SA 213 Test IKEv2.EN.R.1.2.6.4: Close the replaced IKE_SA 223 Test IKEv2.EN.R.1.2.6.8: D-H Transform NONE when rekeying the iKE_SA 224 Test IKEv2.EN.R.1.2.7.1: Receipt of cryptographically valid message on the new CHILD_SA 233 Test IKEv2.EN.R.2.1.1.1: Receipt of IKE_AUTH request 234 Test IKEv2.EN.R.2.1.1.2: Use of CHILD_SA The full TAHI report can be found at http://labs.suse.cz/jbohac/strongswan_ikev2_self_test/report1/ (this is report is not from a clean run, some of the tests have been re-run individually) E.g., "12 * Test IKEv2.EN.I.1.1.3.4: Close Connection when receiving INITIAL_CONTACT" is clearly a test/remotescript problem. After the IKE_SA_INIT/IKE_SA_AUTH/ICMP_ECHO exchanges, the test expects a new IKE_SA_INIT packet. However, the test script merely invokes ping6 on the NUT, which still has a valid SA. Nothing that would force the NUT to re-start the IKE negotiation. And furthermore, it does not wait for the IKE_SA_INIT long enough for the ping6 to even be invoked, at least with my serial setup. Despite the test spec says: "8. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request. If rebooting NUT to start negotiation again is needed, it is possible to reboot NUT." The test/remote script does nothing like that. And I don't see an easy way to fix this in the remote script without modifying the test script. Example of one of the non-deprecated failing tests that I debugged: "14: Test IKEv2.EN.I.1.1.3.6: Sending Delete Payload for IKE_SA" again looks like the testsuite is broken. The test spec says: "In addition, set IKE_SA Lifetime to 60 seconds and set CHILD_SA Lifetime to 30 seconds. I modified koi/bin/remotes/linux-strongswan/ikev2.rmt to set ipsec.conf with: "ikelifetime=60s, keylife=30s, rekeymargin=3s" and Boom!: "Different Exchange Type (received: CREATE_CHILD_SA, expected: INFORMATIONAL); Not match with packet('EN-I-1-1-3-7.1')" Apparently, the test gets confused by the CREATE_CHILD_SA re-negotiating the CHILD_SA that expired after 30s, while waiting for the re-negotiation of the IKE_SA that will expire 30 seconds later. Unsurprisingly, with keylife=30m, the test PASSes. Another weirdness: The test spec says to set the IKE_SA Lifetime to different values (e.g. IKEv2.EN.I.1.1.3.7 and IKEv2.EN.I.1.1.3.6). But it is set to a fixed value in the default ikev2.rmt that comes with koi-2.1.8. The test scripts don't set the values requested by the test spec. I just wonder: - Is the IKEv2_Self_Test even supposed to work? I wonder how it could... - Has anyone run the IKEv2_Self_Test with more success? Any tips&tricks, custom remote files, configs, whatever? - Is anyone else interested in The USGv6 certification with strongSwan? Has anyone talked about this with any of the accredited testing labs? - Is some kind of pre-release version of the 1.1.0 IKEv2_Self_Test available anywhere? Curious if any of the above issues got fixed there (apart of those where the tests have been removed completely, of course). Thanks for any hints, -- Jiri Bohac <jbo...@suse.cz> SUSE Labs, SUSE CZ _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
