[Swan-dev] IPSec restarts intermittently and crashes sometimes, PAYLOAD_MALFORMED issue observed: resend without logs
Rajeev Gaur
rajeev.gaur at niyuj.com
Fri Jan 22 05:29:45 UTC 2016
Hello
[As advised by Paul removed log attachments]
I have received a problem scenario from my company regarding IPSec VPN.
Important Points:
1) The problem involves Openswan 2.6.31 or Libreswan 3.12.
2) Problem is intermittent, does not have a specific interval for occurence.
3) This is a hub and spoke problem. Having hub and 3 spokes.
4) NAT is not involved. All the connections are through public IPs.
5) All connections involve PRESHARED KEYS ONLY.
6) This all is phase 1 - packet 5 or 6.
Problem:
Intermittently, out of the three spokes two spokes just restart ipsec
daemon.
X [I am sending the specific logs, if you want any other information please
do revert]
PAYLOAD_MALFORMED message is received quite sometimes.
This has already taken aproximately 2 months. Now, it is troubling.
X [I am attaching the [ipsec whack --debug-all] logs.
There are two logs for two ends. But ipsec whack logs are quite big so
I am sending information for specific session ID #180934 which shows
PAYLOAD_MALFORMED.]
If you can suggest something here it will be great.
Please see the config below:
config setup
protostack = netkey
klipsdebug = none
plutodebug = none
uniqueids = yes
hidetos = no
conn XXX
type = tunnel
left = X-X-X-X-X
right = Y-Y-Y-Y-Y
leftnexthop = Z-Z-Z-Z-Z
leftsubnet = 10.50.3.0/24
rightsubnet = 10.50.1.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = X-X-X-X-X
rightid = Y-Y-Y-Y-Y
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 14400s
rekeymargin = 10m
rekeyfuzz = 20%
X-early = yes
dpddelay = 10
dpdtimeout = 120
dpdaction = restart
X-custadmin = off
config setup
protostack = netkey
klipsdebug = none
plutodebug = none
uniqueids = yes
hidetos = no
conn YYY
type = tunnel
left = Y-Y-Y-Y-Y
right = %any
leftnexthop = Z-Z-Z-Z-Z
leftsubnet = 10.50.1.0/24
rightsubnet = 10.50.3.0/24
auto = add
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 174.47.49.246
rightid = %any
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 14400s
rekeymargin = 10m
rekeyfuzz = 20%
X-early =
dpddelay = 10
dpdtimeout = 120
dpdaction = restart
X-custadmin = off
==============================
============
So, when I was not able to identify the problem, generically, I started
looking into the code.
I found out the following:
1) plutomain.c (main())
main() -> call_server()
2) server.c
call_server() -> comm_handle()
3) demux.c
comm_handle() -> read_packet() ->
process_packet()
process_packet():
case ISAKMP_MAJOR_VERSION
process_v1_packet()
4) ikev1.c
process_v1_packet() -> process_packet_tail()
process_packet_tail() -> in_struct() -> [%s of %s has an unknown value =
next payload type of ISAKMP Hash Payload has an unknown value: 201]
process_packet_tail() -> [malformed payload in packet]
SEND_NOTIFICATION(PAYLOAD_MALFORMED)
5) ikev1_main.c
send_notification -> [payload malformed after IV]
================================
Our problem is at 4) point.
Yesterday, I went to https://libreswan.org/ and saw the following text
mentioned in red:
August 24st, 2015: CVE-2015-3240: Receiving a bad DH gx causes IKE daemon
restart
Libreswan up to 3.14 is vulnerable to unauthenticated packets with a
malicious DH gx payload causing the daemon to hit a passert() and restart.
See our CVE-2015-3240 page for details. No remote code execution is
possible. Please upgrade libreswan to version 3.15 or later.
Also looked into:
https://libreswan.org/security/CVE-2015-3240/CVE-2015-3240.txt
So, do you feel in this case also the problem is above vulnerability (the
bad DH issue).
In case you want any other information, please do revert.
Thanks
Rajeev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20160122/e72b75df/attachment.html>
More information about the Swan-dev
mailing list