[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-bugs
Subject: Re: iked wrongly processes traffic selectors
From: "Nils Blomqvist" <dassies () eml ! cc>
Date: 2020-07-20 14:19:55
Message-ID: 21B7C577-39EC-48A5-89A5-EBF48C910C94 () eml ! cc
[Download RAW message or body]
On 20 Jul 2020, at 15:15, Stuart Henderson wrote:
> Moving to bugs@:
>
> In gmane.os.openbsd.misc, Anton Kasmov wrote:
>> I am using OpenBSD 6.7
>> iked does not respect mixing ports in the source and the destination
>> of
>> traffic selectors.
>>
>> Such policy in iked.conf
>> ikev2 "epsilon" active \
>> proto tcp \
>> from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
>> from aaaa:aaaa:aaaa::30 port postgresql to
>> cccc:cccc:cccc::/48 \
>> from aaaa:aaaa:aaaa::30 port postgresql to
>> bbbb:bbbb:bbbb::/48 \
>> peer d.d.d
>>
>> Produces wrong flows (specifying only destination port from first
>> selector):
>>
>> flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
>> require
>> flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
>> require
>> flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
>> aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
>> require
>> flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48
>> port
>> 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>> flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48
>> *port
>> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>> flow esp out proto tcp from 2a04:5200:fff5::30 to
>> fdd3:d128:dc2d:10::2 *port
>> 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
>
> Actually whatever is used as "port" on the first selector is used for
> all
> other selectors; if there is no port on the first selector, no port is
> used
> for any others.
>
> I had a look but I think it's beyond my yacc skills.
I reported the same bug in the beginning of 2019. Thread at
https://marc.info/?t=155091934700001&r=1&w=2. I stopped using a VPN
solution,
but if I had to set up one today I would probably have a look at
Wireguard.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic