[Swan] IKEv1 XAUTH with Mac OS (pluto crash)

Sven Schiwek ml-libreswan at svenux.de
Wed Sep 23 20:01:24 UTC 2015


Hi,

I’m in the process of setting up a Libreswan 3.15 (netkey on 4.1.0-2-amd64) VPN server for Mac OS 10.11 clients using PSK and IKEv1 XAUTH with Group Names.
I run in some strange problems. I hope someone can help me to understand this:

My connection configuration is:

config setup
        protostack=netkey
        oe=off
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!192.168.10.0/24
        nat_traversal=yes
        nhelpers=0
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        dumpdir=/tmp/

conn %default
        type=tunnel
        left=192.168.10.11
        authby=secret
        compress=no
        ikelifetime=86400s
        rekeymargin=863s
        keylife=86400s
        keyingtries=%forever
        pfs=no
        dpddelay=60
        dpdtimeout=180

conn xauth-aggr
        rightaddresspool=192.168.12.135-192.168.12.240
        right=%any
        forceencaps=no
        modecfgpull=yes
        modecfgdns1=192.168.12.4
        modecfgdomain=test.svenux.de
        modecfgbanner=Test
        leftsubnet=0.0.0.0/0
        leftid=@Group1
        leftxauthserver=yes
        leftmodecfgserver=yes
        xauthby=file
        ike-frag=yes
        aggrmode=no
        auto=add
        rekey=no
        dpdaction=clear

This connection is working fine, as long I don’t set the a “Group Name” in the Mac OS VPN configuration.
As soon I set the “Group Name” in Mac OS I also have to set aggrmode=yes because of:

"initial Aggressive Mode message from 192.168.10.129 but no (wildcard) connection has been configured with policy PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW"

After a connection reload Libreswan crashes as soon as I initiate a VPN connection from Mac OS:

Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [RFC 3947]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [XAUTH]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [Cisco-Unity]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [Dead Peer Detection]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1: Aggressive mode peer ID is ID_KEY_ID: '@#0x7376656e7578'
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1: switched from "xauth-aggr"[1] 192.168.10.129 to "xauth-aggr"
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: deleting connection "xauth-aggr" instance with peer 192.168.10.129 {isakmp=#0/ipsec=#0}
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: responding to Aggressive Mode, state #1, connection "xauth-aggr" from 192.168.10.129
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: STATE_AGGR_R1: sent AR1, expecting AI2
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from <invalid>:50695: ASSERTION FAILED at /home/sysop/libreswan-3.15/programs/pluto/ikev1_aggr.c:207: dh->pcrc_md != NULL
Sep 23 13:44:15 pm-kvm01 systemd[1]: ipsec.service: Main process exited, code=killed, status=6/ABRT

Is there anything I forgot to set up or is there something wrong with my ipsec configuration?

Any help is greatly appreciated.
Regards

Sven








More information about the Swan mailing list