Re: [strongSwan] IKEv2: traffic selector are improperly generated

Thomas Egerer Fri, 26 Sep 2014 05:15:47 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kumuda,


On 09/26/2014 01:55 PM, kumuda wrote:
> Hi,
> 
> Have configured IKEv2 device as initiator to verify initial exchanges from 
> End-point to Security Gateway.
> 
> ipsec.conf has below parameters set:
> 
>> type=tunnel left=2001:0db8:0001:0001::1 # Remote address 
>> right=2001:0db8:000f:0001::1 # Authentication method leftauth=psk 
>> rightauth=psk 
>> leftid=2001:0db8:0001:0001::1 rightid=2001:0db8:000f:0001::1 # Remote subnet 
>> rightsubnet=2001:0db8:000f:0002::/64

Did you try adding 'leftsubnet=2001:0db8:000f:0001::1/128'?

> -bash-4.2# /usr/sbin/strongswan start Starting strongSwan 5.2.0 IPsec 
> [starter]... -bash-4.2# ip xfrm policy list src 2001:db8:f:2::/64 dst 
> 2001:db8:1:1::1/128 dir
> fwd priority 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 
> proto esp reqid 1 mode tunnel src 2001:db8:f:2::/64 dst 2001:db8:1:1::1/128 
> dir in priority
> 5379 ptype main tmpl src 2001:db8:f:1::1 dst 2001:db8:1:1::1 proto esp reqid 
> 1 mode tunnel src 2001:db8:1:1::1/128 dst 2001:db8:f:2::/64 dir out priority 
> 5379 ptype
> main tmpl src 2001:db8:1:1::1 dst 2001:db8:f:1::1 proto esp reqid 1 mode 
> tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 
> 0.0.0.0/0 dst 0.0.0.0/0
>  socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in 
> priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype 
> main src ::/0
> dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out 
> priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src 
> ::/0 dst ::/0 socket
> out priority 0 ptype main
> 
> 
> IKE_SA_INIT exchange is successful and IKE_AUTH request is sent by the 
> end-point. Two traffic selectors are generated and the 2nd traffic selector 
> has the complete 
> IPv6 addresses as its range.
> 
> Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1> generating payload of type 
> TRAFFIC_SELECTOR_SUBSTRUCTURE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   
> generating rule 0 
> TS_TYPE Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 8 Sep 26 03:26:12 
> 03[ENC] <tahi_ikev2_test|1>   generating rule 1 U_INT_8 Sep 26 03:26:12 
> 03[ENC] 
> <tahi_ikev2_test|1>    => 0 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   
> generating rule 2 PAYLOAD_LENGTH Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>  
>   => 2 bytes @ 
> 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 28        
>                                     .( Sep 26 03:26:12 03[ENC] 
> <tahi_ikev2_test|1> 
> generating rule 3 U_INT_16 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 
> 2 bytes @ 0x7f40dc1e9744 Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 
> 00 .. Sep 26
> 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 4 U_INT_16 Sep 26 
> 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 2 bytes @ 0x7f40dc1e9744 Sep 26 
> 03:26:12 03[ENC]
> <tahi_ikev2_test|1>    0: FF FF                                            .. 
> /Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   generating rule 5 ADDRESS// 
> //Sep 26
> 03:26:12 03[ENC] <tahi_ikev2_test|1>    => 16 bytes @ 0x7f40bc005080// //Sep 
> 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: 00 00 00 00 00 00 00 00 00 00 
> 00 00 00 00 00
> 00  ................// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>   
> generating rule 6 ADDRESS// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    
> => 16 bytes @ 
> 0x7f40bc0050a0// //Sep 26 03:26:12 03[ENC] <tahi_ikev2_test|1>    0: FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF  ................/
> 
> Before IKE_SA is created, charon.log shows the available traffic selectors: 
> Sep 26 03:25:53 11[CFG] received stroke: route 'tahi_ikev2_test' Sep 26 
> 03:25:53 11[CFG] 
> proposing traffic selectors for us: Sep 26 03:25:53 11[CFG]  
> 2001:db8:1:1::1/128 Sep 26 03:25:53 11[CFG] proposing traffic selectors for 
> other: Sep 26 03:25:53
> 11[CFG] 2001:db8:f:2::/64 Sep 26 03:25:53 11[CFG] configured proposals: 
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 
> just after reinitiating IKE_AUTH task, proposed traffic shows ::/0 Sep 26 
> 03:26:12 03[CFG] <tahi_ikev2_test|1> proposing traffic selectors for us: Sep 
> 26 03:26:12 
> 03[CFG] <tahi_ikev2_test|1>  ::/0 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> 
> proposing traffic selectors for other: Sep 26 03:26:12 03[CFG] 
> <tahi_ikev2_test|1> 
> 2001:db8:f:2::/64 Sep 26 03:26:12 03[CFG] <tahi_ikev2_test|1> configured 
> proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> 
> Why is it proposing ::/0 instead of 2001:db8:1:1::1/128?
> 
> Regards, Kumuda G
> 
> 
> _______________________________________________ Users mailing list 
> [email protected] https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlQlWPwACgkQ2/ggQBUI/snO6ACdGEbbCHRK1ymuoBoyoYA6z8WE
3pEAn0AG6FoU6UpQS9p600X3Y/bbl64h
=m5xZ
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IKEv2: traffic selector are improperly generated

Reply via email to