[strongSwan] Help with understanding traffic selectors match

Enrico Cavalli Thu, 30 Nov 2017 08:46:08 -0800

Hello, 

I already posted to pfsense mailing list but maybe the issue is strongswan 
specific.


On my side I have a pfsense 2.4.2 and on the other side a checkpoint firewall 
(I suppose latest available version) where the encryption domain
cannot be changed (so I'm told). 

I have one single network on my side and a bunch of networks on  the other 
side. 

Sometimes i end with multiple CHILD_SA for the same network (10.128.200.0/24 in 
the example) and basically connections with this network stop working.

I think I found a solution but I'm trying to understand better the reasoning 
behind. 

This is the situation where 10.128.200.0/24 does not work;

Security Associations (1 up, 0 connecting):
    con1000[37]: ESTABLISHED 27 minutes ago, A.B.C.D[A.B.C.D]...X.Y.Z.W[X.Y.Z.W]
    con1000{181}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf75c2be_i f6da2a6b_o
    con1000{181}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{182}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ca07fa2a_i b78a80ad_o
    con1001{182}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0
    con1002{183}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cf85518c_i 6b4605e6_o
    con1002{183}:   172.16.199.0/24|/0 === 10.15.1.0/24|/0
    con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i a7e330d0_o
    con1000{184}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{185}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c4d1b604_i 91a8d9d5_o
    con1001{185}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0

where tunnel  con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i 
a7e330d0_o

prevents traffic between my 172.16.199.0/24 and remote 10.128.200.0/24

This is the log relative to this CHILD_SA

Nov 29 10:57:33 iulm03 charon: 15[NET] <con1000|37> received packet: from 
X.Y.Z.W[500] to A.B.C.D[500] (236 bytes)
Nov 29 10:57:33 iulm03 charon: 15[ENC] <con1000|37> parsed CREATE_CHILD_SA 
request 0 [ SA No TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 29 10:57:33 iulm03 charon: 15[IKE] <con1000|37> received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> looking for a child config 
for 172.16.199.98/32|/0[tcp/http] 172.16.199.0/24|/0 === 
10.128.132.198/32|/0[tcp/49179] 10.128.0.0/16|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1000" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  192.168.3.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.15.1.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.210.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1003" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.30.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1004" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> found matching child config 
"con1000" with prio 8
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting proposal:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   proposal matches
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> received proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> configured proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selected proposal: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
172.16.199.0/24|/0, received: 172.16.199.98/32|/0[tcp/http] => match: 
172.16.199.98/32|/0[tcp/http]
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
172.16.199.0/24|/0, received: 172.16.199.0/24|/0 => match: 172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
10.128.200.0/24|/0, received: 10.128.132.198/32|/0[tcp/49179] => no match
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
10.128.200.0/24|/0, received: 10.128.0.0/16|/0 => match: 10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> CHILD_SA con1000{184} state 
change: CREATED => INSTALLING


I suppose that since 10.128.0.0/16 is larger, charon tries to find a match. It 
then picks up the first "best" match and creates the unwanted CHILD_SA.

Is this correct and expected behavior?

To solve this issue (which I do not completely understand) I added another 
configuration to create a CHILD_SA to 10.128.0.0/16

The result is that unwanted double CHILD_SA to same destination is not created 
anymore and this is good for me - everything works as expected.


BUT - and this does not help my understanding

- if I initiate a connection from 172.16.199.0/24 to 10.128.0.0/16 CHILD_SA 
goes UP --> OK 
- BUT if now the remote side initiates a connection in all aspect similar to 
the one mentioned before
looking for a child config for 172.16.199.98/32|/0[tcp/http] 172.16.199.0/24|/0 
=== 10.128.132.198/32|/0[tcp/49179] 10.128.0.0/16|/0

charon says that traffic selectors are wrong (sorry but at the moment I  do not 
have a log for this case) .

Why this happens.

Thank you very much for any help or pointers to the right documentation.

Enrico.



-- 
Enrico Cavalli - [email protected]
jabber: [email protected] skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94  8ADE BC4B 43A7 0485 30E5

[strongSwan] Help with understanding traffic selectors match

Reply via email to