[Swan] IKEv1 XAUTH with Mac OS (pluto crash)
Sven Schiwek
ml-libreswan at svenux.de
Wed Sep 23 20:01:24 UTC 2015
Hi,
I’m in the process of setting up a Libreswan 3.15 (netkey on 4.1.0-2-amd64) VPN server for Mac OS 10.11 clients using PSK and IKEv1 XAUTH with Group Names.
I run in some strange problems. I hope someone can help me to understand this:
My connection configuration is:
config setup
protostack=netkey
oe=off
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!192.168.10.0/24
nat_traversal=yes
nhelpers=0
klipsdebug=none
plutodebug=none
uniqueids=yes
dumpdir=/tmp/
conn %default
type=tunnel
left=192.168.10.11
authby=secret
compress=no
ikelifetime=86400s
rekeymargin=863s
keylife=86400s
keyingtries=%forever
pfs=no
dpddelay=60
dpdtimeout=180
conn xauth-aggr
rightaddresspool=192.168.12.135-192.168.12.240
right=%any
forceencaps=no
modecfgpull=yes
modecfgdns1=192.168.12.4
modecfgdomain=test.svenux.de
modecfgbanner=Test
leftsubnet=0.0.0.0/0
leftid=@Group1
leftxauthserver=yes
leftmodecfgserver=yes
xauthby=file
ike-frag=yes
aggrmode=no
auto=add
rekey=no
dpdaction=clear
This connection is working fine, as long I don’t set the a “Group Name” in the Mac OS VPN configuration.
As soon I set the “Group Name” in Mac OS I also have to set aggrmode=yes because of:
"initial Aggressive Mode message from 192.168.10.129 but no (wildcard) connection has been configured with policy PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW"
After a connection reload Libreswan crashes as soon as I initiate a VPN connection from Mac OS:
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [FRAGMENTATION 80000000]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [RFC 3947]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [XAUTH]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [Cisco-Unity]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: received Vendor ID payload [Dead Peer Detection]
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from 192.168.10.129:50695: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1: Aggressive mode peer ID is ID_KEY_ID: '@#0x7376656e7578'
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[1] 192.168.10.129 #1: switched from "xauth-aggr"[1] 192.168.10.129 to "xauth-aggr"
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: deleting connection "xauth-aggr" instance with peer 192.168.10.129 {isakmp=#0/ipsec=#0}
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: responding to Aggressive Mode, state #1, connection "xauth-aggr" from 192.168.10.129
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Sep 23 13:44:15 pm-kvm01 pluto[11122]: "xauth-aggr"[2] 192.168.10.129 #1: STATE_AGGR_R1: sent AR1, expecting AI2
Sep 23 13:44:15 pm-kvm01 pluto[11122]: packet from <invalid>:50695: ASSERTION FAILED at /home/sysop/libreswan-3.15/programs/pluto/ikev1_aggr.c:207: dh->pcrc_md != NULL
Sep 23 13:44:15 pm-kvm01 systemd[1]: ipsec.service: Main process exited, code=killed, status=6/ABRT
Is there anything I forgot to set up or is there something wrong with my ipsec configuration?
Any help is greatly appreciated.
Regards
Sven
More information about the Swan
mailing list