Hi Andreas, I also realised now that, both charon and pluto can now be enabled together wrt socket receiving side (and it was earlier a problem as in
http://wiki.strongswan.org/issues/123 and fixed in 4.5.0. My another question here is, should charon-raw plugin report invalid version notification instead of dropping the packet ? Thanks, Gowri Shankar On Sunday 01 July 2012 10:45 AM, gowrishankar wrote: > Hi Andreas, > Thanks a lot! Yes, It was using socket-raw (as pluto is also > configured) . I disabled > explicitly in configure option and enabled socket-default, and seeing > invalid version > notification correctly. > > Jun 30 17:04:35 09[ENC] parsing rule 3 U_INT_4 > Jun 30 17:04:35 09[ENC] => 3 > ... > Jun 30 17:04:35 09[ENC] parsing HEADER payload finished > Jun 30 17:04:35 09[ENC] parsed a IKE_SA_INIT request > Jun 30 17:04:35 09[NET] received unsupported IKE version 3.0 from > y:y:y:1::1, sending INVALID_MAJOR_VERSION > > > Thanks, > Gowri Shankar > > On Sunday 01 July 2012 12:11 AM, Andreas Steffen wrote: >> Are you using the charon daemon with the socket-raw plugin which >> filters and processes IKE major version 2 only or the socket-default >> plugin which processes all IKE packets irrespective of the major >> version? ipsec statusall shows which plugin is loaded. >> >> Regards >> >> Andreas >> >> On 30.06.2012 20:05, gowrishankar wrote: >>> Hi Andreas, >>> >>> I tested in strongswan-5.0.0rc1 as well, but same problem. >>> I'll debug some more and post here updates. >>> >>> Thanks, >>> Gowri Shankar >>> >>> On Saturday 30 June 2012 08:38 PM, Andreas Steffen wrote: >>>> Hi Gowri, >>>> >>>> have a look at the following piece of code in the git repository >>>> >>>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/network/receiver.c;h=f0cb0b2d17d153205e97f880e7daa0fdea89f974;hb=HEAD#l409 >>>> >>>> >>>> >>>> >>>> which is the basis of today's strongSwan 5.0.0 release. >>>> >>>> Regards >>>> >>>> Andreas >>>> >>>> On 06/30/2012 09:13 AM, gowrishankar wrote: >>>>> strongswan: charon not reacting for higher major version in IKE >>>>> header >>>>> >>>>> strongswan libcharon is found to be not reacting for invalid (or >>>>> higher) major version in IKE header of received packet. >>>>> >>>>> As per RFC 4306 Section 2.5: >>>>> If an endpoint receives a message with a higher major version >>>>> number, >>>>> it MUST drop the message and SHOULD send an unauthenticated >>>>> notification message containing the highest version number it >>>>> supports. >>>>> >>>>> and RFC 5996 Section 2.5 clarifies the notification message type as >>>>> "INVALID_MAJOR_VERSION". Though current implementation shows >>>>> portion of code libcharon/network/receiver.c, but it is not executing >>>>> while sending IKE_SA_INIT request with invalid major version (and >>>>> I am not seeing any debug info in charon.log for received packet >>>>> by net or enc threads). >>>>> >>>>> I tested with strongswan based on 4.6. >>>>> >>>>> Can some one have a look on this ? >>>>> >>>>> Thanks, >>>>> Gowri Shankar >> ====================================================================== >> Andreas Steffen [email protected] >> strongSwan - the Linux VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[ITA-HSR]== >> >> >> > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
