[Swan] Selecting incorrect conn ID for incoming IKEv2 connection

Ian Dobson ird at oob.id.au
Wed Jun 12 00:06:27 UTC 2019


> On Tue, 11 Jun 2019, Paul Wouters wrote:
>
> I'd be interested in seeing what is leading up to this with
> plutodebug=all enabled.
>
> I guess you mean 3.25. It would be very good to first test it with 3.29
> and see if that addresses your issue. The connectiong switching code
> has changed since then for sure.

Thanks Paul.

I have upgraded to 3.29-1.e17 from the libreswan repo and the problem is
persisting.

Log output of relevant section is included below with plutodebug=all
(truncated for sake of brevity - let me know if you want anything prior to
this).

Also, as an aside, while experimenting I noticed that if both conn
sections specify %any for the remote end, libreswan will always select the
rw conn even when the specific leftid (remote ID) is included in the vpn
conn description. That's another issue for me, as the remote (vpn) box is
on a dynamic IP so I don't really want to be hard coding IP addresses in
there (or relying on dynamic DNS to be right all the time).

Log:

"vpn" #1: certificate verified OK: CN=vpn.oob.id.au,O=OOB,L=Surrey
Hills,ST=Victoria,C=AU
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56095fce80e8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x56095fcdf7d8
| unreference key: 0x56095fcddca8 C=AU, ST=Victoria, L=Surrey Hills,
O=OOB, CN=vpn.oob.id.au cnt 1--
| unreference key: 0x56095fcef778 @vpn.oob.id.au cnt 1--
|       #1 spent 0.354 milliseconds in decode_certs() calling
add_pubkey_from_nss_cert()
|     #1 spent 1.88 milliseconds in decode_certs()
| DER ASN1 DN:  30 5d 31 0b  30 09 06 03  55 04 06 13  02 41 55 31
| DER ASN1 DN:  11 30 0f 06  03 55 04 08  0c 08 56 69  63 74 6f 72
| DER ASN1 DN:  69 61 31 15  30 13 06 03  55 04 07 0c  0c 53 75 72
| DER ASN1 DN:  72 65 79 20  48 69 6c 6c  73 31 0c 30  0a 06 03 55
| DER ASN1 DN:  04 0a 0c 03  4f 4f 42 31  16 30 14 06  03 55 04 03
| DER ASN1 DN:  0c 0d 76 70  6e 2e 6f 6f  62 2e 69 64  2e 61 75
| received IDr payload - extracting our alleged ID
| subjectAltname vpn.oob.id.au matched vpn.oob.id.au in certificate
| ID_FQDN 'vpn.oob.id.au' matched
| X509: CERT and ID matches current connection
| CERT_X509_SIGNATURE CR:
|   c5 7c 7f d8  b5 f6 d1 60  e3 79 3f d9  68 e9 6d 4d
|   ab f8 9f d5
|   cert blob content is not binary ASN.1
| refine_host_connection for IKEv2: starting with "vpn"
|    match_id a=C=AU, ST=Victoria, L=Surrey Hills, O=OOB, CN=vpn.oob.id.au
|             b=@vpn.oob.id.au
|    results  fail
| trusted_ca_nss: trustee A = 'C=AU, ST=Victoria, O=OOB, CN=OOB CA'
| trusted_ca_nss: trustor B = 'C=AU, ST=Victoria, O=OOB, CN=OOB CA'
| refine_host_connection: checking "vpn" against "vpn", best=(none) with
match=0(id=0(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| Peer expects us to be @cgw.oob.id.au (ID_FQDN) according to its IDr payload
| This connection's local id is C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=cgw.oob.id.au (ID_DER_ASN1_DN)
| subjectAltname cgw.oob.id.au matched cgw.oob.id.au in certificate
| IDr payload '@cgw.oob.id.au' is a valid certificate SAN for this connection
| skipping because peer_id does not match
| refine going into 2nd loop allowing instantiated conns as well
| find_host_pair: comparing 172.104.170.124:500 to 0.0.0.0:500
|    match_id a=C=AU, ST=Victoria, L=Surrey Hills, O=OOB, CN=vpn.oob.id.au
|             b=%fromcert
|    results  fail
| trusted_ca_nss: trustee A = 'C=AU, ST=Victoria, O=OOB, CN=OOB CA'
| trusted_ca_nss: trustor B = 'C=AU, ST=Victoria, O=OOB, CN=OOB CA'
| refine_host_connection: checking "vpn" against "rw", best=(none) with
match=0(id=0(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| Peer expects us to be @cgw.oob.id.au (ID_FQDN) according to its IDr payload
| This connection's local id is C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=cgw.oob.id.au (ID_DER_ASN1_DN)
| subjectAltname cgw.oob.id.au matched cgw.oob.id.au in certificate
| IDr payload '@cgw.oob.id.au' is a valid certificate SAN for this connection
| refine_host_connection: checked vpn against rw, now for see if best
| started looking for secret for C=AU, ST=Victoria, L=Surrey Hills, O=OOB,
CN=cgw.oob.id.au->%fromcert of kind PKK_RSA
| private key for cert cgw not found in local cache; loading from NSS DB
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| searching for certificate PKK_RSA:AwEAAbCbD vs PKK_RSA:AwEAAbCbD
| refine_host_connection: picking new best "rw" (wild=0,
peer_pathlen=0/our=0)
| returning since no better match than original best_found
"vpn" #1: switched from "vpn" to "rw"


Thanks
Ian





More information about the Swan mailing list