Hello,
I discovered VPP few weeks ago, and I am quite interested in the IPsec/IKEv2
part.
First, I saw that rsa-sig authentication was developped for IKEv2, however I
did not find any tutorial or working config about this authentication method. I
tried to build a configuration on my own but all I got was a segfault (conf
files at the end of the mail).
Then, I noticed that the cipher suite that is currently supported for IKEv2 is
not realy compliant with recommended algorithms (espescially for integrity
checking). Is it planned to support more algorithms in the future like
hmac-sha256-128 for IKEv2 and IPsec (I think it's is already possible in IPsec).
Finally, a lot of features are missing to create a "real-life" IKEv2 gateway
such as real X.509 certificate authentication (not only with digital
signature), or IKEv2 config mode (getting a virtual IP from IKEv2 gateway). Is
it planned to implement these features in the near future ?
Regards.
Berenger
#Responder cli commands:
set interface state TenGigabitEthernet5/0/0 up
set interface ip address TenGigabitEthernet5/0/0 192.168.4.1/24
set interface state TenGigabitEthernet5/0/1 up
set interface ip address TenGigabitEthernet5/0/1 192.168.3.1/24
ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file
/home/bfoucher/certs/other/peer2-cert.pem
set ikev2 local key /home/bfoucher/certs/other/peer1-key.pem
ikev2 profile set pr1 id local fqdn peer1
ikev2 profile set pr1 id remote fqdn peer2
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector local ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
#Initiator cli commands:
set interface state TenGigabitEthernet4/0/0 up
set interface ip address TenGigabitEthernet4/0/0 192.168.4.2/24
set interface state TenGigabitEthernet4/0/1 up
set interface ip address TenGigabitEthernet4/0/1 192.168.5.1/24
ikev2 profile add pr1
ikev2 profile set pr1 auth rsa-sig cert-file
/home/bfoucher/certs/other/peer1-cert.pem
set ikev2 local key /home/bfoucher/certs/other/peer2-key.pem
ikev2 profile set pr1 id remote fqdn peer1
ikev2 profile set pr1 id local fqdn peer2
ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 -
192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 -
192.168.3.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder TenGigabitEthernet4/0/0 192.168.4.1
ikev2 profile set pr1 ike-crypto-alg aes-cbc 256 ike-integ-alg sha1-96 ike-dh
modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 256 esp-integ-alg sha1-96 esp-dh
ecp-256
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
ikev2 initiate sa-init pr1
Here is what DGBvpp says:
0: ikev2_parse_sa_payload:364: proposal num 1 len 44 last_or_more 0 id 1
spi_size 0 num_transforms 4
0: ikev2_parse_sa_payload:406: transform num 0 len 12 last_or_more 3 type
encr:aes-cbc-256 id 12 attrs 800e0100
0: ikev2_parse_sa_payload:406: transform num 1 len 8 last_or_more 3 type
integ:sha1-96 id 2
0: ikev2_parse_sa_payload:406: transform num 2 len 8 last_or_more 3 type
prf:hmac-sha1 id 2
0: ikev2_parse_sa_payload:406: transform num 3 len 8 last_or_more 0 type
dh-group:modp-2048 id 14
0: ikev2_parse_notify_payload:464: msg_type NAT_DETECTION_SOURCE_IP len 28 data
dfb2dd7aee5009fb5959f75b418a983fc00a3e3f
0: ikev2_parse_notify_payload:464: msg_type NAT_DETECTION_DESTINATION_IP len 28
data bddcb51d6a7b31ff97776a61d4b03272ac2886c4
0: ikev2_parse_notify_payload:464: msg_type SIGNATURE_HASH_ALGORITHMS len 16
data 0001000200030004
0: ikev2_process_sa_init_req:627: sa state changed to IKEV2_STATE_SA_INIT
0: ikev2_select_proposal:170: bitmap is 1e mandatory is 1e optional is 1e
0: ikev2_payload_add_sa:194: proposal num 1 protocol_id 1 last_or_more 0
spi_size 0
0: ikev2_payload_add_sa:215: transform type encr transform_id 12 last_or_more 3
attr_size 4 attrs 800e0100
0: ikev2_payload_add_sa:215: transform type integ transform_id 2 last_or_more 3
attr_size 0
0: ikev2_payload_add_sa:215: transform type prf transform_id 2 last_or_more 3
attr_size 0
0: ikev2_payload_add_sa:215: transform type dh-group transform_id 14
last_or_more 0 attr_size 0
0: ikev2_process_auth_req:832: ispi b78429da3c154ec7 rspi 8393458b3c2ce146
nextpayload 2e version 20 exchange 23 flags 8 msgid 1 length 444
0: ikev2_decrypt_sk_payload:734: received IKEv2 payload SK, len 412
0: ikev2_process_auth_req:890: received payload IDi, len 5 id_type 2
0: ikev2_process_auth_req:921: received payload AUTH, len 256 auth_type 1
0: ikev2_process_auth_req:869: received payload SA, len 48
0: ikev2_parse_sa_payload:364: proposal num 1 len 48 last_or_more 0 id 3
spi_size 4 num_transforms 4
0: ikev2_parse_sa_payload:406: transform num 0 len 12 last_or_more 3 type
encr:aes-cbc-256 id 12 attrs 800e0100
0: ikev2_parse_sa_payload:406: transform num 1 len 8 last_or_more 3 type
integ:sha1-96 id 2
0: ikev2_parse_sa_payload:406: transform num 2 len 8 last_or_more 3 type
dh-group:ecp-256 id 19
0: ikev2_parse_sa_payload:406: transform num 3 len 8 last_or_more 0 type
esn:yes id 1
0: ikev2_process_auth_req:939: received payload TSi, len 20
0: ikev2_process_auth_req:947: received payload TSr, len 20
Here is the backtrace of the segfault (with openssl symbols)
Thread 1 "vpp_main" received signal SIGSEGV, Segmentation fault.
0x00007ffff560a7ef in engine_pkey_meths_free (e=e@entry=0x7fffb60e5b24) at
tb_pkmeth.c:159
159 tb_pkmeth.c: No such file or directory.
(gdb) bt
#0 0x00007ffff560a7ef in engine_pkey_meths_free (e=e@entry=0x7fffb60e5b24) at
tb_pkmeth.c:159
#1 0x00007ffff5607566 in engine_free_util (e=e@entry=0x7fffb60e5b24,
locked=locked@entry=0) at eng_lib.c:129
#2 0x00007ffff56081e0 in engine_unlocked_finish (e=0x7fffb60e5b24,
unlock_for_handlers=) at eng_init.c:119
#3 0x00007ffff5608319 in ENGINE_finish (e=0x7fffb60e5b24) at eng_init.c:150
#4 0x00007ffff561ac4f in EVP_DigestInit_ex (ctx=0x7fffb5cf4750,
type=0x7ffff5929fe0 , impl=0x0) at digest.c:179
#5 0x00007ffff6ddadcb in ikev2_verify_sign (pkey=0x877660,
sigbuf=0x7fffb60e5b24
"\rkv\a\241\264\026\264\323\vN\b\214\313\343m\026{2]\030\070\314Vb\317\331\033\227\344\361_\276\340\263R\275\313\024\311\177\374c\332\344\022\b\330,SQ\373\nRɌ\016\333aS\333!$\264U\225\017\016\024\026\261\267\321a\f#\361pw\264\272z\370V\032\231*\221?\305\322a\373\341\364%\245\342\373\212߀\214W\031\327O\202\360Ԣ\275!hF\355\261xl\301\307I\371\247{p\331\023\343\245#\235\002\277\351\256L,\261v\244\204\342R\214[(\346\306G\257\242tc\f\220\341\227kM\226\071\263\370/3\204x}\"\313\377\273#Ш9El\036\001\321s'\223\301\371a\346\017\316j\351\024\024\375ɻ\331",
..., data=0x7fffb60cc330 "\267\204)\332)
at /home/bfoucher/vpp/build-data/../src/vnet/ipsec/ikev2_crypto.c:682
#6 0x00007ffff6dc894c in ikev2_sa_auth (sa=0x7fffb55166b8) at
/home/bfoucher/vpp/build-data/../src/vnet/ipsec/ikev2.c:1347
#7 0x00007ffff6dcc446 in ikev2_node_fn (vm=0x7ffff7b8b940 ,
node=0x7fffb5e31600, frame=0x7fffb60cd100) at
/home/bfoucher/vpp/build-data/../src/vnet/ipsec/ikev2.c:2230
#8 0x00007ffff78e06c9 in dispatch_node (vm=0x7ffff7b8b940 ,
node=0x7fffb5e31600, type=VLIB_NODE_TYPE_INTERNAL,
dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x7fffb60cd100,
last_time_stamp=229701314793488)
at /home/bfoucher/vpp/build-data/../src/vlib/main.c:988
#9 0x00007ffff78e0c82 in dispatch_pending_node (vm=0x7ffff7b8b940 ,
pending_frame_index=4, last_time_stamp=229701314793488) at
/home/bfoucher/vpp/build-data/../src/vlib/main.c:1138
#10 0x00007ffff78e2e74 in vlib_main_or_worker_loop (vm=0x7ffff7b8b940 ,
is_main=1) at /home/bfoucher/vpp/build-data/../src/vlib/main.c:1614
#11 0x00007ffff78e2f22 in vlib_main_loop (vm=0x7ffff7b8b940 ) at
/home/bfoucher/vpp/build-data/../src/vlib/main.c:1633
#12 0x00007ffff78e38ea in vlib_main (vm=0x7ffff7b8b940 , input=0x7fffb5cf4fb0)
at /home/bfoucher/vpp/build-data/../src/vlib/main.c:1787
#13 0x00007ffff794ec9c in thread0 (arg=140737349466432) at
/home/bfoucher/vpp/build-data/../src/vlib/unix/main.c:568
#14 0x00007ffff6488f34 in clib_calljmp () at
/home/bfoucher/vpp/build-data/../src/vppinfra/longjmp.S:110
#15 0x00007fffffffd3f0 in ?? ()
#16 0x00007ffff794f0fd in vlib_unix_main (argc=36, argv=0x6ff980) at
/home/bfoucher/vpp/build-data/../src/vlib/unix/main.c:632
#17 0x0000000000406efa in main (argc=36, argv=0x6ff980) at
/home/bfoucher/vpp/build-data/../src/vpp/vnet/main.c:249
