[Openswan Users] Nortel Mode-Config Interop
David Mattes
david.mattes at boeing.com
Tue May 18 17:03:09 CEST 2004
Hi,
I'm implementing OpenS/WAN Mode-Config client support for obtaining a
private IP address (and netmask, DNS) from a Nortel CES. When I connect
with the Netlock client, an aggressive mode exchange (3 packets total)
is used to build the ISAKMP SA, then the Nortel box starts a Mode Config
Transaction exchange (these packets are encrypted by the ISAKMP SA, so I
can't see the content), and there are several of these. Of course with
OpenS/WAN the ISAKMP SA is built using main mode exchanges, and once the
ISAKMP SA is built I never receive a Mode Config Transaction message
from the Nortel box. So I tried building and sending an Mode Config
ISAKMP_CFG_REQUEST payload to the Nortel box, but I'm not getting
anything sensible in the reply.
Does anyone know how to get the Nortel box to initiate the Mode Config
Transaction? Could it be that Nortel is expecting a particular VID from
a supported client (I will send this as part of the main mode exchange
to see if it helps)? Maybe the Nortel will only initiate Mode Config
under an aggressive mode exchange? Would my leftsubnet= setting have
any effect (must it be set to the target network from which the dynamic
address comes from)?
Below is some more info if anyone feels like digging into this with me
;-) I know I've left the state machine in limbo. But I think I can
ignore that problem for now because of the lack of a meaningful reply
from Nortel box.
Thanks,
David
I've added a function to xauth.c:
============================================
/* DM: send modeconfig request */
stf_status modecfg_send_request(struct state *st)
{
pb_stream reply;
pb_stream rbody;
char buf[256];
u_char *r_hash_start,*r_hashval;
/* set up reply */
init_pbs(&reply, buf, sizeof(buf), "modecfg_buf");
/* pick a new message id */
st->st_msgid = generate_msgid(st);
st->st_state = STATE_MODE_CFG_R0;
/* HDR out */
{
struct isakmp_hdr hdr;
zero(&hdr); /* default to 0 */
hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT |
ISAKMP_MINOR_VERSION;
hdr.isa_np = ISAKMP_NEXT_HASH;
hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
hdr.isa_msgid = st->st_msgid;
if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
{
return STF_INTERNAL_ERROR;
}
}
START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_ATTR); /* Payload type for
Attributes payload */
/* ATTR out */
{
struct isakmp_mode_attr attrh;
struct isakmp_attribute attr;
pb_stream strattr;
attrh.isama_np = ISAKMP_NEXT_NONE;
attrh.isama_type = ISAKMP_CFG_REQUEST;
attrh.isama_identifier = 0;
if(!out_struct(&attrh, &isakmp_attr_desc, &rbody, &strattr))
return STF_INTERNAL_ERROR;
/* ISAKMP attr out (internal address)*/
attr.isaat_af_type = INTERNAL_IP4_ADDRESS;
attr.isaat_lv = 0; /* zero length attribute */
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
/* ISAKMP attr out (internal netmaks)*/
attr.isaat_af_type = INTERNAL_IP4_NETMASK;
attr.isaat_lv = 0; /* zero length attribute */
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
/* ISAKMP attr out (internal DNS)*/
attr.isaat_af_type = INTERNAL_IP4_DNS;
attr.isaat_lv = 0; /* zero length attribute */
out_struct(&attr, &isakmp_xauth_attribute_desc, &strattr, NULL);
close_message(&strattr);
}
xauth_mode_cfg_hash(r_hashval,r_hash_start,rbody.cur,st);
close_message(&rbody);
close_output_pbs(&reply);
init_phase2_iv(st, &st->st_msgid); /* DM: Not sure about this */
encrypt_message(&rbody, st);
/* free previous transmit packet */
freeanychunk(st->st_tpacket);
clonetochunk(st->st_tpacket, reply.start, pbs_offset(&reply)
, "ModeCfg: request");
/* Set up a retransmission event, half a minute henceforth */
/* Schedule retransmit before sending, to avoid race with master
thread */
delete_event(st);
event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
/* Transmit */
plog("Sending ModeCfg request");
send_packet(st, "ModeCfg: request");
return STF_OK;
}
I've delayed IPSec exchange by disabling it in various places (I want to
validate the Mode Cfg first).
I've hijacked complete_state_transition() after line 2324 in demux.c
(after #ifdef XAUTH block)
to call modecfg_send_request().
======================================================================
#ifdef MODECFG
/* DM: If we are the initiator, let's request an IP address */
plog("Checking Mode Config situation");
if(st->st_connection->spd.this.modecfg_client
&& IS_ISAKMP_SA_ESTABLISHED(st->st_state)
&& !IS_MODE_CFG_ESTABLISHED(st->st_state))
{
plog("Kicking off Mode Config state R0");
DBG(DBG_CONTROL,
DBG_log("MODECFG: Moving from %s to %s"
, enum_name(&state_names, from_state)
, enum_name(&state_names, st->st_state)));
if (modecfg_send_request(st) != STF_OK)
{
DBG(DBG_CONTROL,
DBG_log("Error sending ModeCfg Request"));
}
break;
}
#endif
This is my pluto debug (only where it gets interesting - once the ISAKMP SA is built):
------------------------------------------------
May 18 15:48:25 gandalf pluto[26265]: | authentication succeeded
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 18 15:48:25 gandalf pluto[26265]: | inserting event EVENT_SA_REPLACE, timeout in 2681 seconds for #1
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: ISAKMP SA established
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Checking Mode Config situation
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Kicking off Mode Config state R0
May 18 15:48:25 gandalf pluto[26265]: | MODECFG: Moving from STATE_MAIN_I3 to STATE_MAIN_I4
May 18 15:48:25 gandalf pluto[26265]: | **emit ISAKMP Message:
May 18 15:48:25 gandalf pluto[26265]: | initiator cookie:
May 18 15:48:25 gandalf pluto[26265]: | f0 80 a5 06 ee 66 db 12
May 18 15:48:25 gandalf pluto[26265]: | responder cookie:
May 18 15:48:25 gandalf pluto[26265]: | d5 00 28 6e 42 35 ef 32
May 18 15:48:25 gandalf pluto[26265]: | next payload type: ISAKMP_NEXT_HASH
May 18 15:48:25 gandalf pluto[26265]: | ISAKMP version: ISAKMP Version 1.0
May 18 15:48:25 gandalf pluto[26265]: | exchange type: ISAKMP_XCHG_MODE_CFG
May 18 15:48:25 gandalf pluto[26265]: | flags: ISAKMP_FLAG_ENCRYPTION
May 18 15:48:25 gandalf pluto[26265]: | message ID: cc a4 82 83
May 18 15:48:25 gandalf pluto[26265]: | ***emit ISAKMP Hash Payload:
May 18 15:48:25 gandalf pluto[26265]: | next payload type: ISAKMP_NEXT_MODECFG
May 18 15:48:25 gandalf pluto[26265]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Hash Payload: 24
May 18 15:48:25 gandalf pluto[26265]: | ***emit ISAKMP Mode Attribute:
May 18 15:48:25 gandalf pluto[26265]: | next payload type: ISAKMP_NEXT_NONE
May 18 15:48:25 gandalf pluto[26265]: | Attr Msg Type: ISAKMP_CFG_REQUEST
May 18 15:48:25 gandalf pluto[26265]: | Identifier: 0
May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
May 18 15:48:25 gandalf pluto[26265]: | ModeCfg attr type: INTERNAL_IP4_ADDRESS
May 18 15:48:25 gandalf pluto[26265]: | length/value: 0
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
May 18 15:48:25 gandalf pluto[26265]: | ModeCfg attr type: INTERNAL_IP4_NETMASK
May 18 15:48:25 gandalf pluto[26265]: | length/value: 0
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
May 18 15:48:25 gandalf pluto[26265]: | ****emit ISAKMP ModeCfg attribute:
May 18 15:48:25 gandalf pluto[26265]: | ModeCfg attr type: INTERNAL_IP4_DNS
May 18 15:48:25 gandalf pluto[26265]: | length/value: 0
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP ModeCfg attribute: 0
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Mode Attribute: 20
May 18 15:48:25 gandalf pluto[26265]: | XAUTH: HASH computed:
May 18 15:48:25 gandalf pluto[26265]: | 1d 70 8d 2e a3 6d 89 8a 88 34 20 c6 cb a2 a5 25
May 18 15:48:25 gandalf pluto[26265]: | 6f 67 8e cd
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Message: 72
May 18 15:48:25 gandalf pluto[26265]: | last Phase 1 IV: 60 a5 c6 1c 22 89 34 d3
May 18 15:48:25 gandalf pluto[26265]: | computed Phase 2 IV:
May 18 15:48:25 gandalf pluto[26265]: | 7c f3 86 e0 d8 a9 94 c3 5b 9b 8d 4e 58 1c f0 7a
May 18 15:48:25 gandalf pluto[26265]: | 89 d1 b2 9e
May 18 15:48:25 gandalf pluto[26265]: | encrypting:
May 18 15:48:25 gandalf pluto[26265]: | 0e 00 00 18 1d 70 8d 2e a3 6d 89 8a 88 34 20 c6
May 18 15:48:25 gandalf pluto[26265]: | cb a2 a5 25 6f 67 8e cd 00 00 00 14 01 00 00 00
May 18 15:48:25 gandalf pluto[26265]: | 00 01 00 00 00 02 00 00 00 03 00 00
May 18 15:48:25 gandalf pluto[26265]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
May 18 15:48:25 gandalf pluto[26265]: | encrypting using OAKLEY_3DES_CBC
May 18 15:48:25 gandalf pluto[26265]: | next IV: b9 3f 47 85 5c 51 3e 14
May 18 15:48:25 gandalf pluto[26265]: | emitting length of ISAKMP Message: 76
May 18 15:48:25 gandalf pluto[26265]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Sending ModeCfg request
May 18 15:48:25 gandalf pluto[26265]: | sending 76 bytes for ModeCfg: request through eth2 to 130.42.72.249:500:
May 18 15:48:25 gandalf pluto[26265]: | f0 80 a5 06 ee 66 db 12 d5 00 28 6e 42 35 ef 32
May 18 15:48:25 gandalf pluto[26265]: | 08 10 06 01 cc a4 82 83 00 00 00 4c 56 18 cb 3c
May 18 15:48:25 gandalf pluto[26265]: | 03 90 12 e3 de 9d 05 c3 91 24 d7 ce 35 18 14 94
May 18 15:48:25 gandalf pluto[26265]: | 9a 77 50 d3 45 35 15 9a 54 2c 01 13 22 be 37 c7
May 18 15:48:25 gandalf pluto[26265]: | 5b 57 5f 06 b9 3f 47 85 5c 51 3e 14
May 18 15:48:25 gandalf pluto[26265]: | next event EVENT_RETRANSMIT in 10 seconds for #1
May 18 15:48:25 gandalf pluto[26265]: |
May 18 15:48:25 gandalf pluto[26265]: | *received 40 bytes from 130.42.72.249:500 on eth2
May 18 15:48:25 gandalf pluto[26265]: | f0 80 a5 06 ee 66 db 12 d5 00 28 6e 42 35 ef 32
May 18 15:48:25 gandalf pluto[26265]: | 0b 10 05 00 cc a4 82 83 00 00 00 28 00 00 00 0c
May 18 15:48:25 gandalf pluto[26265]: | 00 00 00 01 01 00 01 00
May 18 15:48:25 gandalf pluto[26265]: | **parse ISAKMP Message:
May 18 15:48:25 gandalf pluto[26265]: | initiator cookie:
May 18 15:48:25 gandalf pluto[26265]: | f0 80 a5 06 ee 66 db 12
May 18 15:48:25 gandalf pluto[26265]: | responder cookie:
May 18 15:48:25 gandalf pluto[26265]: | d5 00 28 6e 42 35 ef 32
May 18 15:48:25 gandalf pluto[26265]: | next payload type: ISAKMP_NEXT_N
May 18 15:48:25 gandalf pluto[26265]: | ISAKMP version: ISAKMP Version 1.0
May 18 15:48:25 gandalf pluto[26265]: | exchange type: ISAKMP_XCHG_INFO
May 18 15:48:25 gandalf pluto[26265]: | flags: none
May 18 15:48:25 gandalf pluto[26265]: | message ID: cc a4 82 83
May 18 15:48:25 gandalf pluto[26265]: | length: 40
May 18 15:48:25 gandalf pluto[26265]: | ICOOKIE: f0 80 a5 06 ee 66 db 12
May 18 15:48:25 gandalf pluto[26265]: | RCOOKIE: d5 00 28 6e 42 35 ef 32
May 18 15:48:25 gandalf pluto[26265]: | peer: 82 2a 48 f9
May 18 15:48:25 gandalf pluto[26265]: | state hash entry 12
May 18 15:48:25 gandalf pluto[26265]: | peer and cookies match on #1, provided msgid 00000000 vs cca48283
May 18 15:48:25 gandalf pluto[26265]: | state object #1 found, in STATE_MODE_CFG_R0
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: Notify Message Type of ISAKMP Notification Payload has an unknown value: 256
May 18 15:48:25 gandalf pluto[26265]: "getaddr" #1: malformed payload in packet
May 18 15:48:25 gandalf pluto[26265]: | next event EVENT_RETRANSMIT in 10 seconds for #1
More information about the Users
mailing list