[prev in list] [next in list] [prev in thread] [next in thread]
List: ikev2-devel
Subject: Re: [Ikev2-devel] dshell@western-data.com
From: Martin Willi <martin () strongswan ! org>
Date: 2008-11-18 16:54:22
Message-ID: 1227027262.7921.59.camel () martin
[Download RAW message or body]
Hi,
It seems that you are running strongSwan, which is a completely
different project, so please continue discussion at our mailing list.
> I think I found a bug in the IKEv2 MOBIKE implementation.
>
> I was running dual stack but with only ipv6 addresses used in the
> configurations. IKEv2 start properly an all security associations are
> formed correctly.
>
> The mobile unit has two Ethernet interfaces,
> fd23:c85a:663d:1A:215:c5ff:fe05:1145 and
> fd23:c85a:663d:2A:215:c5ff:fe05:1145. In the traces below the "1A"
> interface forms the original association. Note
> fd23:c85a:663d:1A:215:c5ff:fe05:1145 also has IPv4 address 10.0.11.100
> whereas fd23:c85a:663d:2A:215:c5ff:fe05:1145 also has IPv4 address
> 10.0.12.100.
>
> The Secure Gateway tunnel endpoint is fd23:c85a:663d:10::b and an IPv4
> address of 192.168.33.37 (eth0 of the Secure Gatway,
> idkey02.KGcorp.com). This secure GW also has an interface eth1 with
> IPv4 address 10.0.21.1 (ipv6 fd23:c85a:663d:1b::1) and eth2 with IPv4
> address 10.0.22.1 (ipv6 d23:c85a:663d:2b::1). The secure gateway
> allows the mobile to reach fd23:c85a:663d:1b::/64.
>
> When the mobile eth0 is removed and eth1 takes over, it appears IPv4
> addresses are being negotiated for the tunnel endpoints rather than
> IPv6.
>
> Note, for debug purposes, the rekey lifetimes were set very low.
> ikelifetime=4s
> keylife=3s
> rekeymargin=1s
>
>
>
>
> Assume all IPv6 prefix is fd23:c85a:663d::/48
>
> Mobile Intermediate Router
> +--------------------------+ +--------------------------+
> > 10.0.11.100 eth0 |_\/__|eth1 10.0.11.1 |
> > xx:1A:215:c5ff:fe05:1145 | /\ | xx:1A::1 |
> > > > 192.168.33.36 eth0|___
> > > > xx:10::1 | |
> > 10.0.12.100 eth1 |_____|eth2 10.0.12.1 | |
> > xx:2A:215:c5ff:fe05:1145 | | xx:2A::1 | |
> +--------------------------+ +--------------------------+ |
> >
> >
> Corporate Network Secure Gateway |
> +--------------------------+ +--------------------------+ |
> > 10.0.21.2 eth1 |_____|eth1 10.0.21.1 | |
> > xx:1B::2 | | xx:1B::1 | |
> > > > 192.168.33.36 eth0|___|
> > > > xx:10::2 |
> > 10.0.22.2 eth2 |_ _|eth2 10.0.22.1 |
> > xx:2B::2 | | xx:2B::1 |
> +--------------------------+ +--------------------------+
>
>
>
>
>
> Nov 14 15:39:55 localhost charon: 03[CFG] received stroke: add
> connection 'mobGW01'
> Nov 14 15:39:55 localhost charon: 03[CFG] left nor right host is our
> side, assuming left=local
> Nov 14 15:39:55 localhost charon: 03[LIB] loaded certificate file
> '/usr/local/etc/ipsec.d/certs/mobGW01Cert.pem'
> Nov 14 15:39:55 localhost charon: 03[CFG] added configuration
> 'mobGW01':
> 0.0.0.0[mobGW01.KGcorp.com]...fd23:c85a:663d:10::b[idkey02.KGcorp.com]
> Nov 14 15:39:55 localhost charon: 03[CFG] received stroke: initiate
> 'mobGW01'
> Nov 14 15:39:55 localhost charon: 03[AUD] initiating IKE_SA mobGW01[1]
> to fd23:c85a:663d:10::b Nov 14 15:39:55 localhost charon: 03[ENC]
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ] Nov 14 15:39:55 localhost charon: 03[NET] sending
> packet: from fd23:c85a:663d:1a:215:c5ff:fe05:1145[500] to
> fd23:c85a:663d:10::b[500] Nov 14 15:39:55 localhost charon: 12[NET]
> received packet: from fd23:c85a:663d:10::b[500] to
> fd23:c85a:663d:1a:215:c5ff:fe05:1145[500]
> Nov 14 15:39:55 localhost charon: 12[ENC] parsed IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] Nov 14 15:39:55
> localhost charon: 12[IKE] received cert request for unknown ca with
> keyid
> c6:5e:b5:5e:43:b7:2f:e8:e5:ff:57:da:c3:e6:2d:d9:fa:cb:a3:96
> Nov 14 15:39:55 localhost charon: 12[IKE] received cert request for
> "C=US, ST=OH, L=Westlake, O=KG Corporation, OU=Certification Center,
> CN=www.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 12[IKE] sending cert request for
> "C=US, ST=OH, L=Westlake, O=KG Corporation, OU=Certification Center,
> CN=www.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 12[IKE] authentication of
> 'mobGW01.KGcorp.com' (myself) with RSA signature successful Nov 14
> 15:39:55 localhost charon: 12[IKE] sending end entity cert "C=US,
> ST=OH, L=Westlake, O=KG Corporation, OU=Security Research Group,
> CN=mobGW01.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 12[AUD] establishing CHILD_SA
> mobGW01 Nov 14 15:39:55 localhost charon: 12[ENC] generating IKE_AUTH
> request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR)
> N(ADD_6_ADDR) ]
> Nov 14 15:39:55 localhost charon: 12[NET] sending packet: from
> fd23:c85a:663d:1a:215:c5ff:fe05:1145[4500] to
> fd23:c85a:663d:10::b[4500] Nov 14 15:39:55 localhost charon: 13[NET]
> received packet: from fd23:c85a:663d:10::b[4500] to
> fd23:c85a:663d:1a:215:c5ff:fe05:1145[4500]
> Nov 14 15:39:55 localhost charon: 13[ENC] parsed IKE_AUTH response 1
> [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Nov 14
> 15:39:55 localhost charon: 13[IKE] received end entity cert "C=US,
> ST=OH, L=Westlake, O=KG Corporation, OU=Security Research Group,
> CN=idkey02.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 13[CFG] using certificate "C=US,
> ST=OH, L=Westlake, O=KG Corporation, OU=Security Research Group,
> CN=idkey02.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 13[CFG] using trusted ca
> certificate
> "C=US, ST=OH, L=Westlake, O=KG Corporation, OU=Certification Center,
> CN=www.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 13[CFG] checking certificate status
> of "C=US, ST=OH, L=Westlake, O=KG Corporation, OU=Security Research
> Group, CN=idkey02.KGcorp.com"
> Nov 14 15:39:55 localhost charon: 13[CFG] certificate status is not
> available Nov 14 15:39:55 localhost charon: 13[IKE] authentication of
> 'idkey02.KGcorp.com' with RSA signature successful Nov 14 15:39:55
> localhost charon: 13[IKE] scheduling reauthentication in 151s Nov 14
> 15:39:55 localhost charon: 13[IKE] maximum IKE_SA lifetime 211s Nov 14
> 15:39:55 localhost charon: 13[AUD] IKE_SA mobGW01[1] established
> between
> fd23:c85a:663d:1a:215:c5ff:fe05:1145[mobGW01.KGcorp.com]...fd23:c85a:663d:10::b[idkey02.KGcorp.com]
>
> Nov 14 15:39:55 localhost vpn: + idkey02.KGcorp.com
> fd23:c85a:663d:1b::/64 == fd23:c85a:663d:10::b --
> fd23:c85a:663d:1a:215:c5ff:fe05:1145
> Nov 14 15:39:55 localhost charon: 13[AUD] CHILD_SA mobGW01{1}
> established with SPIs cf0c8217_i cc9e9acf_o and TS
> fd23:c85a:663d:1a:215:c5ff:fe05:1145/128 === fd23:c85a:663d:1b::/64
> Nov 14 15:39:55 localhost charon: 13[IKE] received AUTH_LIFETIME of
> 138s, scheduling reauthentication in 78s Nov 14 15:39:55 localhost
> charon: 13[IKE] peer supports MOBIKE Nov 14 15:40:31 localhost
> avahi-daemon[2276]: Withdrawing address record for
> fd23:c85a:663d:1a:215:c5ff:fe05:1145 on eth0.
> Nov 14 15:40:31 localhost avahi-daemon[2276]: Registering new address
> record for fe80::215:c5ff:fe05:1145 on eth0.*.
> Nov 14 15:40:31 localhost charon: 05[KNL]
> fd23:c85a:663d:1a:215:c5ff:fe05:1145 disappeared from eth0 Nov 14
> 15:40:31 localhost charon: 16[IKE] requesting address change using
> MOBIKE Nov 14 15:40:31 localhost charon: 16[ENC] generating
> INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_6_ADDR) ] Nov 14
> 15:40:31 localhost charon: 16[IKE] checking path 10.0.11.100[4500] -
> 10.0.21.1[4500] Nov 14 15:40:31 localhost charon: 16[NET] sending
> packet: from 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:40:31
> localhost charon: 16[IKE] checking path 10.0.11.100[4500] -
> 10.0.22.1[4500] Nov 14 15:40:31 localhost charon: 16[NET] sending
> packet: from 10.0.11.100[4500] to 10.0.22.1[4500] Nov 14 15:40:31
> localhost charon: 16[IKE] checking path 10.0.11.100[4500] -
> 192.168.33.37[4500] Nov 14 15:40:31 localhost charon: 16[NET] sending
> packet: from 10.0.11.100[4500] to 192.168.33.37[4500] Nov 14 15:40:31
> localhost charon: 16[IKE] checking path
> fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] -
> fd23:c85a:663d:1b::b[4500] Nov 14 15:40:31 localhost charon: 16[NET]
> sending packet: from fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] to
> fd23:c85a:663d:1b::b[4500] Nov 14 15:40:31 localhost charon: 16[IKE]
> checking path fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] -
> fd23:c85a:663d:2b::b[4500] Nov 14 15:40:31 localhost charon: 16[NET]
> sending packet: from fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] to
> fd23:c85a:663d:2b::b[4500] Nov 14 15:40:31 localhost charon: 16[IKE]
> checking path fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] -
> fd23:c85a:663d:10::b[4500] Nov 14 15:40:31 localhost charon: 16[NET]
> sending packet: from fd23:c85a:663d:2a:2e0:98ff:fea0:b5a9[4500] to
> fd23:c85a:663d:10::b[4500] Nov 14 15:40:31 localhost charon: 17[NET]
> received packet: from 10.0.21.1[4500] to 10.0.11.100[4500] Nov 14
> 15:40:31 localhost charon: 17[ENC] parsed INFORMATIONAL response
> 2 [ ]
> Nov 14 15:40:31 localhost setroubleshoot: SELinux is preventing
> ip6tables (iptables_t) "read write" to socket (unconfined_t). For
> complete SELinux messages. run sealert -l
> 1ed6a084-66e5-48bd-abda-97f7a403988e
> Nov 14 15:40:31 localhost vpn: - idkey02.KGcorp.com
> fd23:c85a:663d:1b::/64 == fd23:c85a:663d:10::b --
> fd23:c85a:663d:1a:215:c5ff:fe05:1145
> Nov 14 15:40:31 localhost charon: 17[KNL] received netlink error:
> Invalid argument (22)
> Nov 14 15:40:31 localhost charon: 17[KNL] unable to install source
> route for 10.0.11.100 Nov 14 15:40:31 localhost charon: 17[CHD]
> updown: iptables v1.4.1.1:
> invalid mask `64' specified
> Nov 14 15:40:31 localhost charon: 17[CHD] updown: Try `iptables -h' or
> 'iptables --help' for more information.
> Nov 14 15:40:31 localhost NET[19038]: /sbin/dhclient-script :
> updated /etc/resolv.conf
> Nov 14 15:40:31 localhost charon: 17[CHD] updown: iptables v1.4.1.1:
> invalid mask `64' specified
> Nov 14 15:40:31 localhost charon: 17[CHD] updown: Try `iptables -h' or
> 'iptables --help' for more information.
> Nov 14 15:40:31 localhost vpn: + idkey02.KGcorp.com
> fd23:c85a:663d:1b::/64 == 10.0.21.1 -- 10.0.11.100 Nov 14 15:40:31
> localhost charon: 17[ENC] generating INFORMATIONAL request 3
> [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) N(COOKIE2) ] Nov 14
> 15:40:31 localhost charon: 17[NET] sending packet: from
> 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:40:31 localhost
> avahi-daemon[2276]: Withdrawing address record for 10.0.11.100 on
> eth0.
> Nov 14 15:40:31 localhost avahi-daemon[2276]: Leaving mDNS multicast
> group on interface eth0.IPv4 with address 10.0.11.100.
> Nov 14 15:40:31 localhost charon: 05[KNL] 10.0.11.100 disappeared from
> eth0 Nov 14 15:40:31 localhost charon: 05[KNL]
> fe80::215:c5ff:fe05:1145 disappeared from eth0 Nov 14 15:40:31
> localhost avahi-daemon[2276]: Interface eth0.IPv4 no longer relevant
> for mDNS.
> Nov 14 15:40:31 localhost avahi-daemon[2276]: Withdrawing address
> record for fe80::215:c5ff:fe05:1145 on eth0.
> Nov 14 15:40:31 localhost charon: 05[KNL] interface eth0 deactivated
> Nov 14 15:40:31 localhost NetworkManager: <info> (eth0): carrier now
> OFF (device state 3) Nov 14 15:40:31 localhost NetworkManager: <info>
> (eth0): device state
> change: 3 -> 2
> Nov 14 15:40:31 localhost NetworkManager: <info> (eth0): deactivating
> device.
> Nov 14 15:40:32 localhost charon: 11[IKE] requesting address change
> using MOBIKE Nov 14 15:40:33 localhost ntpd[2201]: Deleting interface
> #49 eth0, fe80::215:c5ff:fe05:1145#123, interface stats: received=0,
> sent=0, dropped=0, active_time=115 secs Nov 14 15:40:33 localhost
> ntpd[2201]: Deleting interface #50 eth0, 10.0.11.100#123, interface
> stats: received=0, sent=5, dropped=0,
> active_time=112 secs
> Nov 14 15:40:33 localhost ntpd[2201]: Deleting interface #51 eth0,
> fd23:c85a:663d:1a:215:c5ff:fe05:1145#123, interface stats: received=0,
> sent=0, dropped=0, active_time=110 secs Nov 14 15:40:35 localhost
> charon: 08[IKE] retransmit 1 of request with message ID 3 Nov 14
> 15:40:35 localhost charon: 08[NET] sending packet: from
> 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:40:35 localhost charon:
> 06[NET] error writing to socket:
> Invalid argument
> Nov 14 15:40:43 localhost charon: 03[IKE] retransmit 2 of request with
> message ID 3 Nov 14 15:40:43 localhost charon: 03[NET] sending packet:
> from 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:40:43 localhost
> charon: 06[NET] error writing to socket:
> Invalid argument
> Nov 14 15:40:56 localhost charon: 12[IKE] retransmit 3 of request with
> message ID 3 Nov 14 15:40:56 localhost charon: 12[NET] sending packet:
> from 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:40:56 localhost
> charon: 06[NET] error writing to socket:
> Invalid argument
> Nov 14 15:41:19 localhost charon: 14[IKE] retransmit 4 of request with
> message ID 3 Nov 14 15:41:19 localhost charon: 14[NET] sending packet:
> from 10.0.11.100[4500] to 10.0.21.1[4500] Nov 14 15:41:19 localhost
> charon: 06[NET] error writing to socket:
> Invalid argument
> Nov 14 15:41:33 localhost charon: 04[KNL] creating rekey job for ESP
> CHILD_SA with SPI cf0c8217 and reqid {1} Nov 14 15:42:01 localhost
> charon: 16[IKE] retransmit 5 of request with message ID 3 Nov 14
> 15:42:01 localhost charon: 16[NET] sending packet: from
> 10.0.11.100[4500] to 10.0.21.1[4500]
>
>
> Cheers,
>
> /will ivancic
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________ Ikev2-devel mailing list \
> Ikev2-devel@lists.sourceforge.net \
> https://lists.sourceforge.net/lists/listinfo/ikev2-devel
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ikev2-devel mailing list
Ikev2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ikev2-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic