[Openswan dev] IPsec bug in Vigor2500 plus with multiple SA's still present in firmware v2.53 build Wed Nov 24 19:58:46.19 2004

Paul Wouters paul at xtdnet.nl
Tue Mar 1 15:20:07 CET 2005


Hello Draytek support,

In august of last year I complained about the "Multiple SA's between the same two
hosts" bug. Draytek fixed this issue in the beta firmware for the Vigor 2600, which
you kindly allowed me to test:

#  Model : Vigor2600 plus series annex A
# Firmware Version : 2.5.4_B_MK
# Build Date/Time : Mon Aug 23 13:32:44.61 2004

This firmware works correctly now.
It was indicated to us that this fix would also be applied to the other Vigor
models (the 2500's) of which we have many more.

Today we have finished testing the Vigor 2500's latest firmware:
firmware version v2.53 
Build Date/Time : 	Wed Nov 24 19:58:46.19 2004

Again, we have problems establishing two IPsec SA's between the same two hosts
for a different subnet. This time, the Vigor clearly sends a Delete SA of
the first IPsec SA when initiating the second IPsec SA, as can be seen by
the following logs of Openswan:

We start from a clean state, no ISAKMP SA's or IPsec SA's are established.
We then initiate the first connection on the vigor using the dial button:

Mar  1 15:14:17 rigips pluto[1247]: "bpb0011" #17354: responding to Main Mode
Mar  1 15:14:17 rigips pluto[1247]: "bpb0011" #17354: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar  1 15:14:18 rigips pluto[1247]: "bpb0011" #17354: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17354: Main mode peer ID is ID_IPV4_ADDR: '82.92.88.99'
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17354: I did not send a certificate because I do not have one.
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17354: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17354: sent MR3, ISAKMP SA established
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17355: responding to Quick Mode
Mar  1 15:14:19 rigips pluto[1247]: "bpb0011" #17355: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar  1 15:14:20 rigips pluto[1247]: "bpb0011" #17355: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar  1 15:14:20 rigips pluto[1247]: "bpb0011" #17355: IPsec SA established {ESP=>0xc68c1830 <0x717c0a92}

This works fine. Now we dial the second lan-to-lan connection:

Mar  1 15:15:08 rigips pluto[1247]: "bpb0011-sap" #17356: responding to Quick Mode
Mar  1 15:15:08 rigips pluto[1247]: "bpb0011-sap" #17356: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar  1 15:15:09 rigips pluto[1247]: "bpb0011-sap" #17356: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar  1 15:15:09 rigips pluto[1247]: "bpb0011-sap" #17356: IPsec SA established {ESP=>0xc68c1831 <0x717c0a93}
Mar  1 15:15:09 rigips pluto[1247]: "bpb0011-sap" #17354: received Delete SA(0xc68c1830) payload: deleting IPSEC State #17355
Mar  1 15:15:09 rigips pluto[1247]: "bpb0011-sap" #17354: received and ignored informational message

As can be seen, the Vigor sends a Delete SA for SPI 0xc68c1830 which is the SPI of the "bpb0011" conenction.

Again, this problem does not appear in the Vigor 2600 beta firmware listed
above. Unfortunately, we have 2 2600's and more then 25 Vigor 2500's.

We have been testing and waiting for functional firmware since we first
reported this back in august 2004. We had really hoped to have the VPN
infrastructure up months ago.

Will this bug be addressed by Draytek? Will Draytek release a formal or beta
firmware that we can use in a reasonable amount of time?

As always, I am willing to test the Vigor2500 beta firmware images for Draytek.

Regards,
Paul Wouters


More information about the Dev mailing list