Hello Sankarshan, you should post this on the net...@vger.kernel.org mailing list since this is an IPsec stack problem of the Linux kernel and doesn't have anything todo with strongSwan which is a userland IKE daemon.
Best regards Andreas On 08/17/2011 02:29 PM, sankarshan deb wrote: > Hi, > > I have configured StrongSwan with IPSEC ESP using AES-GCM256. > Sent an ICMP echo request in the secured interface with > misaligned data. > IPSec should drop the packet.But it is forwarding the ICMP > packet on non-secured interface. > > > My ipsec.conf: > > conn net-net > type=tunnel > #type=transport > ike=3des-sha1-modp1024 > esp=aes256gcm128-modp2048 > #esp=3des-sha1 > left=10.1.1.10 > # leftid=10.1.1.10 > leftsubnet=20.1.1.30/32 <http://20.1.1.30/32> > #leftid=@sun.strongswan.org <http://sun.strongswan.org> > leftfirewall=yes > right=10.1.1.30 > # rightid=10.1.1.30 > rightsubnet=10.1.1.30/32 <http://10.1.1.30/32> > #rightid=@moon.strongswan.org <http://moon.strongswan.org> > auto=add > authby=secret > > > Original icmp packet:(Plain text) > Ip HDR(src:10.1.1.30,dst:20.1.1.30)(20 bytes) > ICMP HDR(8byte) > ICMP DATA(44 byte) > > Packet on secured interface: 10.1.1.30->10.1.1.10 > > Outer IP HDR(dst ip:10.1.1.10,src ip:10.1.1.30)(20 byte) > Security Parameter Index = 0xC214E310 (4byte) > Sequence Number = 0x00000001 (4byte) > IV (8 byte) > Cipher text(72 + 2(next header + padlen) + 2(padding) + 1( to > make the data misaligned in 4 byte boundary)) (Total 77) > Auth data(16 byte) > > > Strongswan Ipsec implementation should discard the packet as the > Pad Length and Next Header field NOT right aligned within 4-byte word. > > But I received the original icmp packet on the plaintext > interface (10.1.1.30->20.1.1.30) > > Please let me know the reason. > > Thanks and Regards > Sankarshan > > > > > > > > > > > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
