[Swan-dev] ikev2: in IKE_AUTH responder, when CHILD SA fails don't delete IKE SA
Andrew Cagney
andrew.cagney at gmail.com
Sat May 29 01:53:59 UTC 2021
Heads up. If the IKE_AUTH rejects the child sa, but accepts authentication,
it sends back auth + child failure notification - per the RFC.
Unfortunately this is causing the testsuite to take a hit; sigh.
For instance:
1v2 "westnet-eastnet-mismatch" #1: sent IKE_SA_INIT request
002 "westnet-eastnet-mismatch" #1: WARNING: '@west' PSK length of 6 bytes
is too short for PRF HMAC_SHA2_512 in FIPS mode (32 bytes required)
1v2 "westnet-eastnet-mismatch" #1: sent IKE_AUTH request {auth=IKEv2
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
+002 "westnet-eastnet-mismatch" #1: WARNING: '@west' PSK length of 6 bytes
is too short for PRF HMAC_SHA2_512 in FIPS mode (32 bytes required)
+003 "westnet-eastnet-mismatch" #1: authenticated using authby=secret and
peer ID_FQDN '@east'
I guess some auth files need updating.
-003 "westnet-eastnet-mismatch" #2: IKE_AUTH response contained the error
notification TS_UNACCEPTABLE
+003 "westnet-eastnet-mismatch" #2: IKE_AUTH response missing v2SA, v2TSi
or v2TSr: not attempting to setup CHILD SA
The new log line is technically correct; but not very useful.
+002 "westnet-eastnet-mismatch" #1: sending IKE SA delete
This is allowed by the RFC. However, nice to have are to try the next
pending child, or keep the SA open if configured.
+002 "westnet-eastnet-mismatch" #1: deleting other state #2
(STATE_V2_IKE_AUTH_CHILD_I0) and NOT sending notification
+002 "westnet-eastnet-mismatch" #1: deleting state
(STATE_V2_ESTABLISHED_IKE_SA) and sending notification
Hmm, did a double delete get sent?
-000 "westnet-eastnet-mismatch" #1: scheduling retry attempt 1 of an
unlimited number, but releasing whack
+002 "westnet-eastnet-mismatch" #1: deleting IKE SA but connection is
supposed to remain up; schedule EVENT_REVIVE_CONNS
The revive code's log line needs updating (this was hidden by releasing
whack) to match what is really going on.
On Fri, 28 May 2021 at 15:54, Andrew Cagney <cagney at vault.libreswan.fi>
wrote:
> New commits:
> commit 77c852df3648a0d238d8fcde61d308c06746db82
> Author: Andrew Cagney <cagney at gnu.org>
> Date: Fri May 28 15:36:01 2021 -0400
>
> ikev2: in IKE_AUTH responder, when CHILD SA fails don't delete IKE SA
>
> Instead just bundle in a notify.
>
> At least that is the theory. There are still a few code paths,
> such as when add_xfrmi() fail, that return STF_FATAL dropping
> everything on the floor.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20210528/22413fe8/attachment.html>
More information about the Swan-dev
mailing list