Hi Andreas, Thanks a lot! Yes, It was using socket-raw (as pluto is also configured) . I disabled explicitly in configure option and enabled socket-default, and seeing invalid version notification correctly.
Jun 30 17:04:35 09[ENC] parsing rule 3 U_INT_4 Jun 30 17:04:35 09[ENC] => 3 ... Jun 30 17:04:35 09[ENC] parsing HEADER payload finished Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from y:y:y:1::1, sending INVALID_MAJOR_VERSION Thanks, Gowri Shankar On Sunday 01 July 2012 12:11 AM, Andreas Steffen wrote: > Are you using the charon daemon with the socket-raw plugin which > filters and processes IKE major version 2 only or the socket-default > plugin which processes all IKE packets irrespective of the major > version? ipsec statusall shows which plugin is loaded. > > Regards > > Andreas > > On 30.06.2012 20:05, gowrishankar wrote: >> Hi Andreas, >> >> I tested in strongswan-5.0.0rc1 as well, but same problem. >> I'll debug some more and post here updates. >> >> Thanks, >> Gowri Shankar >> >> On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote: >>> Hi Gowri, >>> >>> have a look at the following piece of code in the git repository >>> >>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409 >>> >>> >>> which is the basis of today's strongSwan 5.0.0 release. >>> >>> Regards >>> >>> Andreas >>> >>> On 06/30/2012 09:13 AM, gowrishankar wrote: >>>> strongswan: charon not reacting for higher major version in IKE header >>>> >>>> strongswan libcharon is found to be not reacting for invalid (or >>>> higher) major version in IKE header of received packet. >>>> >>>> As per RFC 4306 Section 2.5: >>>> If an endpoint receives a message with a higher major version >>>> number, >>>> it MUST drop the message and SHOULD send an unauthenticated >>>> notification message containing the highest version number it >>>> supports. >>>> >>>> and RFC 5996 Section 2.5 clarifies the notification message type as >>>> "INVALID_MAJOR_VERSION". Though current implementation shows >>>> portion of code libcharon/network/receiver.c, but it is not executing >>>> while sending IKE_SA_INIT request with invalid major version (and >>>> I am not seeing any debug info in charon.log for received packet >>>> by net or enc threads). >>>> >>>> I tested with strongswan based on 4.6. >>>> >>>> Can some one have a look on this ? >>>> >>>> Thanks, >>>> Gowri Shankar > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
