[Swan-dev] MacOS both received and not received IKE_AUTH fragments?
Paul Wouters
paul at nohats.ca
Mon May 28 16:05:11 UTC 2018
I see the following issue on a MacOS machine (in the middle east):
May 28 00:45:37.326144: | *received 424 bytes from 193.235.62.155:26472 on eth0 (port=500)
May 28 00:45:37.334543: | sending 445 bytes for STATE_IKEv2_BASE through eth0:500 to 193.235.62.155:26472 (using #7)
The first IKE_INIT exchange. Then since the Mac switches to use port
4500 due to NAT it will get assigned a different port on the NAT gateway
from here on:
May 28 00:45:37.554175: | *received 544 bytes from 193.235.62.153:26440 on eth0 (port=4500)
May 28 00:45:37.554964: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
May 28 00:45:37.554978: | ***parse IKEv2 Encrypted Fragment:
May 28 00:45:37.555217: | *received 544 bytes from 193.235.62.153:26440 on eth0 (port=4500)
May 28 00:45:37.556066: | *received 544 bytes from 193.235.62.153:26440 on eth0 (port=4500)
May 28 00:45:37.556976: | *received 384 bytes from 193.235.62.153:26440 on eth0 (port=4500)
We received all fragments.
May 28 00:45:37.573734: "ikev2"[4] 193.235.62.155 #7: Authenticated using RSA
We decrypted and authenticated.
May 28 00:45:37.823568: "ikev2"[4] 193.235.62.155 #8: STATE_V2_IPSEC_R: IPsec
SA established tunnel mode {ESP/NAT=>0x0fb4359e <0x3e838ca8
xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=193.235.62.155:26440 DPD=passive}
We installed an IPsec SA in the kernel.
May 28 00:45:37.823581: | sending V2 reply packet to 193.235.62.153:26440 (from port 4500)
May 28 00:45:37.823591: | sending fragments ...
May 28 00:45:37.823611: | sending 1204 bytes for STATE_PARENT_R1 through eth0:4500 to 193.235.62.153:26440 (using #7)
May 28 00:45:37.824436: | sending 1204 bytes for STATE_PARENT_R1 through eth0:4500 to 193.235.62.153:26440 (using #7)
May 28 00:45:37.825201: | sending 1204 bytes for STATE_PARENT_R1 through eth0:4500 to 193.235.62.153:26440 (using #7)
May 28 00:45:37.826001: | sending 1204 bytes for STATE_PARENT_R1 through eth0:4500 to 193.235.62.153:26440 (using #7)
May 28 00:45:37.826866: | sending 580 bytes for STATE_PARENT_R1 through eth0:4500 to 193.235.62.153:26440 (using #7)
May 28 00:45:37.827307: | sent 5 fragments
We sent all fragments, but.......
May 28 00:45:38.067663: | rejected packet:
May 28 00:45:38.067720: | 0f b4 35 9e 00 00 00 01 7f bb e0 09 3e 5d 5f 46
May 28 00:45:38.067732: | 8a 87 0e 21 b5 e6 15 33 11 a9 97 8f 14 e4 1f 6e
May 28 00:45:38.067742: | d4 eb 03 bf 3f 50 21 45 26 f5 39 00 ee 1d 1e 4c
May 28 00:45:38.067751: | 9f f1 2f 61 1b b2 a6 4b 48 ce 48 e4 c0 be 84 00
May 28 00:45:38.067761: | 74 6a e3 26 23 3e 5d e8 95 65 fa 61 43 ad 7d b8
May 28 00:45:38.067772: | 10 8c 1c 2c
May 28 00:45:38.067781: | control:
May 28 00:45:38.067790: | 1c 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00
May 28 00:45:38.067799: | 00 00 00 00 00 00 00 00 5b ef 7c 8e 6f 7f 00 00
May 28 00:45:38.067808: | 30 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00
May 28 00:45:38.067817: | 6f 00 00 00 02 03 03 00 00 00 00 00 00 00 00 00
May 28 00:45:38.067828: | 02 00 00 00 c1 eb 3e 9b 00 00 00 00 00 00 00 00
May 28 00:45:38.067837: | name:
May 28 00:45:38.067847: | 02 00 67 48 c1 eb 3e 9b 00 00 00 00 00 00 00 00
May 28 00:45:38.067868: | ERROR: asynchronous network error report on eth0
(sport=4500) for message to 193.235.62.155 port 26440, complainant
193.235.62.155: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
May 28 00:45:38.203713: | rejected packet:
[ does this for all fragments ]
It seems to no longer be listening on the IKE port it used. Or the NAT
gateway lost/forgot/dropped the NAT mapping. The reason this is odd, is
that next we see:
May 28 00:45:57.636568: | *received 76 bytes from 193.235.62.153:26440 on eth0
(port=4500)
May 28 00:45:57.636629: | d2 70 5b 92 b2 14 63 a4 4f af 0f 60 82 e4 af b8
May 28 00:45:57.636641: | 2e 20 25 08 00 00 00 02 00 00 00 4c 2a 00 00 30
May 28 00:45:57.636670: | 42 3f 6e b9 a6 c7 16 2b f9 5b 27 ff fe 53 42 e7
May 28 00:45:57.636681: | aa b3 f3 8e 21 02 71 9a a3 65 0e 93 58 0a f2 b5
May 28 00:45:57.636691: | df af f7 1a 7b 7f 29 5d 4f 97 8b c5
Which is another IKE packet from that same point they just before claimed to
not listen on!
May 28 00:45:57.636704: | processing: start from 193.235.62.153:26440 (in process_md() at demux.c:391)
May 28 00:45:57.636717: | **parse ISAKMP Message:
May 28 00:45:57.636728: | initiator cookie:
May 28 00:45:57.636737: | d2 70 5b 92 b2 14 63 a4
May 28 00:45:57.636747: | responder cookie:
May 28 00:45:57.636756: | 4f af 0f 60 82 e4 af b8
May 28 00:45:57.636766: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
May 28 00:45:57.636778: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
May 28 00:45:57.636788: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
And it is an informational exchange, which they could only sent if they
had actually received our fragments, which they claimed not to have
received!
May 28 00:45:57.636988: | Unpacking clear payload for svm: R2: process INFORMATIONAL Request
May 28 00:45:57.636999: | Now let's proceed with payload (ISAKMP_NEXT_v2SK)
May 28 00:45:57.637010: | ***parse IKEv2 Encryption Payload:
May 28 00:45:57.637020: | next payload type: ISAKMP_NEXT_v2D (0x2a)
And it is a Delete notification, so for whatever reason they didn't like
our AUTH response (but received it?) and deleted the IKE SA?
Pretty weird behaviour.......
Paul
More information about the Swan-dev
mailing list