[Openswan dev] Multiple RW in Aggressive Mode with different PSK
hiren joshi
joshihirenn at gmail.com
Tue Dec 30 11:14:30 EST 2008
Hello,
Version: openswan-2.4.9
Motivated by
http://lists.openswan.org/pipermail/dev/2008-December/001994.html,
I tried multiple road warrior connection in aggressive mode with different
pre-shared secrets.
I found it not working as it does not allow the newly chosen connection to
have different PSK than the current one.
programs/pluto/connections.c::3778
switch (auth)
{
case OAKLEY_PRESHARED_KEY:
/* secret must match the one we already used */
{
const chunk_t *dpsk = get_preshared_secret(d);
if (dpsk == NULL)
continue; /* no secret */
if (psk != dpsk)
if (psk->len != dpsk->len
|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
continue; /* different secret */
}
break;
Should I bypass the check for Aggressive mode?
--- connections.c.orig 2008-12-30 18:42:26.000000000 +0530
+++ connections.c 2008-12-30 21:28:10.000000000 +0530
@@ -3785,7 +3785,7 @@ refine_host_connection(const struct stat
if (dpsk == NULL)
continue; /* no secret */
- if (psk != dpsk)
+ if (!(d->policy & POLICY_AGGRESSIVE) && psk != dpsk)
if (psk->len != dpsk->len
|| memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
continue; /* different secret */
Thanks for your time.
-hiren
------------------details----------------
Configuration:
version 2
config setup
interfaces="ipsec0=eth1 ipsec1=eth2 "
klipsdebug=none
plutodebug="none"
uniqueids=no
nat_traversal=yes
crlcheckinterval=3600
nhelpers=0
conn %default
leftupdown=/usr/lib/ipsec/_updown
rightupdown=/usr/lib/ipsec/_updown
conn aggr-1
aggrmode=yes
left=172.16.1.2
leftsubnet=192.168.3.1/32
leftid="@local"
right=%any
rightsubnet="vhost:%v4:0.0.0.0/0"
rightid="@rw-1"
authby=secret
ike=3des-md5
conn aggr-2
aggrmode=yes
left=172.16.1.2
leftsubnet=192.168.3.2/32
leftid="@local"
right=%any
rightsubnet="vhost:%v4:0.0.0.0/0"
rightid="@rw-2"
authby=secret
ike=3des-md5
secrets:
@local @rw-1 : PSK "psk-1"
@local @rw-2 : PSK "psk-2"
------------failed to switch with different PSKs------------------
| *received 324 bytes from 172.16.1.1:500 on eth1 (port=500)
| 6d 23 1d 5b e8 24 89 9c 00 00 00 00 00 00 00 00
| 01 10 04 00 00 00 00 00 00 00 01 44 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 01 01 00 01
| 00 00 00 20 00 01 00 00 80 01 00 05 80 02 00 01
| 80 03 00 01 80 04 00 02 80 0b 00 01 80 0c 0e 10
| 0d 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46
| 95 79 dd cc 0d 00 00 14 90 cb 80 91 3e bb 69 6e
| 08 63 81 b5 ec 42 7b 1f 0d 00 00 14 7d 94 19 a6
| 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 04 00 00 14
| af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| 0a 00 00 84 23 45 f8 0f cb 45 61 3b 46 9e b7 a8
| cd 42 ee 58 46 77 30 34 d2 47 5c 13 c3 af 8c c1
| cd 6a fa 2c 8a 32 c9 35 49 b8 3f dc 92 f4 63 e6
| df 72 0b a4 06 13 72 d7 58 94 9e c1 55 11 48 e8
| 92 90 c2 bc 32 ac a1 d3 f9 51 82 8b a1 a6 8a 3f
| 3c 99 d7 44 28 49 1d 8d ae a3 58 cb 06 10 8b d4
| 9a d9 5f 00 c9 b8 5a 89 79 7b fd 0b 52 a1 29 c4
| 09 96 3e 1e 27 62 f2 0a 70 36 41 4c 03 48 e2 8f
| 7a 3c db 9a 05 00 00 14 f9 36 74 46 95 e1 d7 ed
| 98 2b 53 8c 5c 1c 69 da 00 00 00 0c 02 00 00 00
| 72 77 2d 31
| **parse ISAKMP Message:
| initiator cookie:
| 6d 23 1d 5b e8 24 89 9c
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_AGGR
| flags: none
| message ID: 00 00 00 00
| length: 324
| processing packet with exchange type=ISAKMP_XCHG_AGGR (4)
| np=1 and sd=0x80c198c
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_KE
| length: 20
| np=4 and sd=0x80c1c40
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 132
| np=10 and sd=0x80c1e14
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_ID
| length: 20
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 12
| ID type: ID_FQDN
| DOI specific A: 0
| DOI specific B: 0
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
packet from 172.16.1.1:500: received Vendor ID payload [Dead Peer Detection]
| find_host_connection called from aggr_inI1_outR1_common
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 172.16.1.2:500
172.16.1.1:500-> hp:none
| find_host_connection called from aggr_inI1_outR1_common
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 172.16.1.2:500 %any:500 ->
hp:aggr-2
| alg_info_addref() alg_info->ref_cnt=3
| alg_info_addref() alg_info->ref_cnt=4
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| connect_to_host_pair: 172.16.1.2:500 172.16.1.1:500 -> hp:none
| instantiated "aggr-2" for 172.16.1.1
| creating state object #29 at 0x8117dd0
"aggr-2"[1] 172.16.1.1 #29: Aggressive mode peer ID is ID_FQDN: '@rw-1'
| refine_connection: starting with aggr-2
| started looking for secret for @local->@rw-2 of kind PPK_PSK
| actually looking for secret for @local->@rw-2 of kind PPK_PSK
| 1: compared PSK @rw-2 to @local / @rw-2 -> 2
| 2: compared PSK @local to @local / @rw-2 -> 6
| best_match 0>6 best=0x810bcf0 (line=2)
| 1: compared PSK @rw-1 to @local / @rw-2 -> 0
| 2: compared PSK @local to @local / @rw-2 -> 4
| concluding with best_match=6 best=0x810bcf0 (lineno=2)
| match_id a=@rw-1
| b=@rw-2
| results fail
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-2, best=(none) with
match=0(id=0/ca=1/reqca=1)
| find_host_pair: comparing to 172.16.1.2:500 172.16.1.1:500
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| find_host_pair_conn (refine_host_connection): 172.16.1.2:500 %any:500 ->
hp:aggr-2
| match_id a=@rw-1
| b=@rw-2
| results fail
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-2, best=(none) with
match=0(id=0/ca=1/reqca=1)
| match_id a=@rw-1
| b=@rw-1
| results matched
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-1, best=(none) with
match=1(id=1/ca=1/reqca=1)
| refine_connection: checked aggr-2 against aggr-1, now for see if best
| started looking for secret for @local->@rw-1 of kind PPK_PSK
| actually looking for secret for @local->@rw-1 of kind PPK_PSK
| 1: compared PSK @rw-2 to @local / @rw-1 -> 0
| 2: compared PSK @local to @local / @rw-1 -> 4
| 1: compared PSK @rw-1 to @local / @rw-1 -> 2
| 2: compared PSK @local to @local / @rw-1 -> 6
| best_match 0>6 best=0x8103d68 (line=1)
| concluding with best_match=6 best=0x8103d68 (lineno=1)
"aggr-2"[1] 172.16.1.1 #29: no suitable connection for peer '@rw-1'
------------------successful switching after making all PSKs the
same----------------------
| *received 324 bytes from 172.16.1.1:500 on eth1 (port=500)
| d1 78 1f 02 1e d9 36 19 00 00 00 00 00 00 00 00
| 01 10 04 00 00 00 00 00 00 00 01 44 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 01 01 00 01
| 00 00 00 20 00 01 00 00 80 01 00 05 80 02 00 01
| 80 03 00 01 80 04 00 02 80 0b 00 01 80 0c 0e 10
| 0d 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46
| 95 79 dd cc 0d 00 00 14 90 cb 80 91 3e bb 69 6e
| 08 63 81 b5 ec 42 7b 1f 0d 00 00 14 7d 94 19 a6
| 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 04 00 00 14
| af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| 0a 00 00 84 3a 34 7b 5f c0 17 28 88 2d 7f aa 57
| e6 39 49 20 ca 08 d5 40 dd 6b de 11 e3 7a 99 ec
| b7 cc 81 8a f2 ae 20 d2 9d c9 4b bd 62 5e 5a ab
| 95 a9 18 2e be 87 43 29 c6 d5 5d cd d7 78 bb a7
| f6 f7 e6 3d 00 c6 ee 7a 7b 98 f0 2a e5 f5 e1 d0
| 2b 2a ad a1 5b f8 d9 4d 81 3c 51 e6 29 29 36 89
| 59 71 e9 fc 62 68 93 0b 8a 1c d9 05 93 b9 b4 58
| 92 43 48 ea a6 36 f6 0a 74 c9 2b 0d cb a6 ee 41
| 17 d1 97 e3 05 00 00 14 57 b1 3d 7c 9e 69 04 86
| 16 ca 84 72 86 7c 10 50 00 00 00 0c 02 00 00 00
| 72 77 2d 31
| **parse ISAKMP Message:
| initiator cookie:
| d1 78 1f 02 1e d9 36 19
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_AGGR
| flags: none
| message ID: 00 00 00 00
| length: 324
| processing packet with exchange type=ISAKMP_XCHG_AGGR (4)
| np=1 and sd=0x80c198c
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| np=13 and sd=0x80c1f38
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_KE
| length: 20
| np=4 and sd=0x80c1c40
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 132
| np=10 and sd=0x80c1e14
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_ID
| length: 20
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 12
| ID type: ID_FQDN
| DOI specific A: 0
| DOI specific B: 0
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
packet from 172.16.1.1:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
packet from 172.16.1.1:500: received Vendor ID payload [Dead Peer Detection]
| find_host_connection called from aggr_inI1_outR1_common
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| find_host_pair: comparing to 172.16.1.2:500 172.16.1.1:500
| find_host_pair_conn (find_host_connection2): 172.16.1.2:500
172.16.1.1:500-> hp:aggr-2
| creating state object #31 at 0x8118510
"aggr-2"[1] 172.16.1.1 #31: Aggressive mode peer ID is ID_FQDN: '@rw-1'
| refine_connection: starting with aggr-2
| started looking for secret for @local->@rw-2 of kind PPK_PSK
| actually looking for secret for @local->@rw-2 of kind PPK_PSK
| 1: compared PSK @rw-2 to @local / @rw-2 -> 2
| 2: compared PSK @local to @local / @rw-2 -> 6
| best_match 0>6 best=0x81098a0 (line=2)
| 1: compared PSK @rw-1 to @local / @rw-2 -> 0
| 2: compared PSK @local to @local / @rw-2 -> 4
| concluding with best_match=6 best=0x81098a0 (lineno=2)
| match_id a=@rw-1
| b=@rw-2
| results fail
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-2, best=(none) with
match=0(id=0/ca=1/reqca=1)
| find_host_pair: comparing to 172.16.1.2:500 172.16.1.1:500
| find_host_pair: comparing to 172.16.1.2:500 0.0.0.0:500
| find_host_pair_conn (refine_host_connection): 172.16.1.2:500 %any:500 ->
hp:aggr-2
| match_id a=@rw-1
| b=@rw-2
| results fail
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-2, best=(none) with
match=0(id=0/ca=1/reqca=1)
| match_id a=@rw-1
| b=@rw-1
| results matched
| trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking aggr-2 against aggr-1, best=(none) with
match=1(id=1/ca=1/reqca=1)
| refine_connection: checked aggr-2 against aggr-1, now for see if best
| started looking for secret for @local->@rw-1 of kind PPK_PSK
| actually looking for secret for @local->@rw-1 of kind PPK_PSK
| 1: compared PSK @rw-2 to @local / @rw-1 -> 0
| 2: compared PSK @local to @local / @rw-1 -> 4
| 1: compared PSK @rw-1 to @local / @rw-1 -> 2
| 2: compared PSK @local to @local / @rw-1 -> 6
| best_match 0>6 best=0x8103d68 (line=1)
| concluding with best_match=6 best=0x8103d68 (lineno=1)
| offered CA: '%none'
"aggr-2"[1] 172.16.1.1 #31: switched from "aggr-2" to "aggr-1"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20081230/f2ccbb08/attachment-0001.html
More information about the Dev
mailing list