[Openswan dev] Pluto esp transform selection behaviour
Michael Richardson
mcr at xelerance.com
Sat Apr 28 17:14:36 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Frank" == Frank Schmirler <osdev at schmirler.de> writes:
Frank> On Wed, 25 Apr 2007 08:53:51 -0400, Michael Richardson wrote
Frank> Let's assume A is forced to 3des only. If initiator B
Frank> proposes aes as first transform and 3des as second one, the
Frank> connection will fail. If B proposes 3des first and then aes,
Frank> everything's fine.
>> I thought we had a test case for this already.
Frank> Well, in pluto-algo-01 "west" is restricted to
Frank> esp=3des-sha1. But "west" is the initiator, so the problem
Frank> won't show up. Swap west.conf and east.conf and the
Frank> connection should fail. Unfortunately I have no UML at hands,
Frank> so I was not able to verify this.
Frank> Cheers, Frank
Test case algo-pluto-05 (why I have tests named pluto-algo and
algo-pluto, I don't know) has just been created.
I can not confirm your report. Perhaps I missed the details, that's why
I asked for a test case.
Note that I did find an anomaly.
Please see the 2.5.00 git tree for the details of the test, this is the
log output:
west:~#
TESTNAME=algo-pluto-05
west:~#
source /testing/pluto/bin/westlocal.sh
west:~#
ipsec setup start
ipsec_setup: Starting Openswan IPsec VERSION
west:~#
/testing/pluto/bin/wait-until-pluto-started
west:~#
echo done
done
west:~#
: east set up for both, expect aes, since it has priority
west:~#
ipsec auto --replace westnet-eastnet-both
west:~#
ipsec auto --up westnet-eastnet-both
104 "westnet-eastnet-both" #1: STATE_MAIN_I1: initiate
003 "westnet-eastnet-both" #1: received Vendor ID payload [Openswan
003 "westnet-eastnet-both" #1: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-both" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-both" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-both" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-both" #2: STATE_QUICK_I1: initiate
004 "westnet-eastnet-both" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-both
west:~#
: east set up for both, expect 3des
west:~#
ipsec auto --replace westnet-eastnet-3des
west:~#
ipsec auto --up westnet-eastnet-3des
104 "westnet-eastnet-3des" #3: STATE_MAIN_I1: initiate
003 "westnet-eastnet-3des" #3: received Vendor ID payload [Openswan
003 "westnet-eastnet-3des" #3: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-3des" #3: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-3des" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-3des" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-3des" #4: STATE_QUICK_I1: initiate
004 "westnet-eastnet-3des" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-3des
west:~#
: east set up for both, expect aes
west:~#
ipsec auto --replace westnet-eastnet-aes256
west:~#
ipsec auto --up westnet-eastnet-aes256
104 "westnet-eastnet-aes256" #5: STATE_MAIN_I1: initiate
003 "westnet-eastnet-aes256" #5: received Vendor ID payload [Openswan
003 "westnet-eastnet-aes256" #5: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-aes256" #5: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-aes256" #5: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-aes256" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-aes256" #6: STATE_QUICK_I1: initiate
004 "westnet-eastnet-aes256" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-aes256
west:~#
echo done1
done1
west:~#
: east set up for only 3des, so expect 3des
west:~#
ipsec auto --replace westnet-eastnet-both
west:~#
ipsec auto --up westnet-eastnet-both
104 "westnet-eastnet-both" #7: STATE_MAIN_I1: initiate
003 "westnet-eastnet-both" #7: received Vendor ID payload [Openswan
003 "westnet-eastnet-both" #7: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-both" #7: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-both" #7: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-both" #7: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-both" #8: STATE_QUICK_I1: initiate
004 "westnet-eastnet-both" #8: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
echo done2
done2
west:~#
: east should have just aes, so expect that.
west:~#
ipsec auto --replace westnet-eastnet-both
west:~#
ipsec auto --up westnet-eastnet-both
104 "westnet-eastnet-both" #9: STATE_MAIN_I1: initiate
003 "westnet-eastnet-both" #9: received Vendor ID payload [Openswan
003 "westnet-eastnet-both" #9: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-both" #9: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-both" #9: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-both" #9: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-both" #10: STATE_QUICK_I1: initiate
004 "westnet-eastnet-both" #10: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
echo done3
done3
west:~#
: east set up for both, expect 3des, since it has priority
west:~#
ipsec auto --replace westnet-eastnet-both
west:~#
ipsec auto --up westnet-eastnet-both
104 "westnet-eastnet-both" #11: STATE_MAIN_I1: initiate
003 "westnet-eastnet-both" #11: received Vendor ID payload [Openswan
003 "westnet-eastnet-both" #11: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-both" #11: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-both" #11: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-both" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-both" #12: STATE_QUICK_I1: initiate
004 "westnet-eastnet-both" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-both
west:~#
: east set up for both, expect 3des
west:~#
ipsec auto --replace westnet-eastnet-3des
west:~#
ipsec auto --up westnet-eastnet-3des
104 "westnet-eastnet-3des" #13: STATE_MAIN_I1: initiate
003 "westnet-eastnet-3des" #13: received Vendor ID payload [Openswan
003 "westnet-eastnet-3des" #13: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-3des" #13: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-3des" #13: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-3des" #13: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-3des" #14: STATE_QUICK_I1: initiate
004 "westnet-eastnet-3des" #14: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-3des
west:~#
: east set up for both, expect aes
west:~#
ipsec auto --replace westnet-eastnet-aes256
west:~#
ipsec auto --up westnet-eastnet-aes256
104 "westnet-eastnet-aes256" #15: STATE_MAIN_I1: initiate
003 "westnet-eastnet-aes256" #15: received Vendor ID payload [Openswan
003 "westnet-eastnet-aes256" #15: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-aes256" #15: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-aes256" #15: STATE_MAIN_I3: sent MI3, expecting MR3
004 "westnet-eastnet-aes256" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-aes256" #16: STATE_QUICK_I1: initiate
004 "westnet-eastnet-aes256" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
west:~#
ipsec auto --delete westnet-eastnet-aes256
west:~#
echo done4
done4
west:~#
west:~#
ipsec look
west NOW
ipsec0->eth1 mtu=16260(9999)->1500
tun0xTUN#@192.1.2.45 IPIP: dir=in src=192.1.2.23 policy=192.0.2.0/24->192.0.1.0/24 flags=0x8<> natencap=none natsport=0 natdport=0
ROUTING TABLE
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
192.1.2.0/24 dev ipsec0 proto kernel scope link src 192.1.2.45
default via 192.1.2.254 dev eth1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRjO5OICLcPvd0N1lAQIrGgf+Ou2CRMLdOLGtZRffo9onMkBQbXmECiax
PvzqitQkTCGct0NkgDC+9deg3TNX2BLpznAX2XgIO8BS1/3PbslH0KgtS9Ki/Akh
IQRVADna6dmLsZXHNHWCUGRkcyUJinl86HXtezXByO9xSD2b3Lo29lGqo9GKFXUz
goOkKdoC66Ux7Y1ZSilNQzdOne7th0kHPX397MijUOCX0VUjJ5rqr1ymOTLO9ICd
K96geLQmuzA1ay3/vPDJ9XIEnsiHiij/wxXpFIxFgzj/vYVx/G5cAb4urK12KYeN
KROlsa5sJvbU+BhWoUkSS/qM/hSCqZp4ciUnDoxmH+WyLGsEwFnXig==
=XaqQ
-----END PGP SIGNATURE-----
More information about the Dev
mailing list