[Openswan Users] L2TP using wrong connection

Matthias Haas matthias at pompase.net
Thu Mar 31 16:35:26 CEST 2005


I am using openswan 2.1.4. The problem I have is that I have configured
some L2TP connections. They differ in the type of connections I allow. One
connection is configured using the leftsubnetwithin parameter which should
not work with l2tp. The other one is a l2tp connection configured
correctly to be used for l2tp. The first connection has a valid
certificate. The second one references a empty file.
When I try to connect, the first connection is choosen for ISAKMP. After
that the second connection is selected as it maches due to its connection
parameters. What bothers me is that the second connection does not have
any certificate and therefore should not be in the list of possible
connections.
It seems as soon as you define a connection which references an empty file
as its certificate this is a wildcard connection that can be used by any
client that is able to establish isakmp with any other connection. Is this
not a security issue? I would expect that this connection with the empty
certficate would never be used as it cannot be associated with the clients
certifictate data.

Here is a log snippet of my problem:
Mar 31 14:37:29 defendo204 pluto[20646]: packet from 213.179.141.8:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Mar 31 14:37:29 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: responding to Main Mode from unknown peer 213.179.141.8
Mar 31 14:37:29 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: transition from state (null) to state STATE_MAIN_R1
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: Peer ID is ID_DER_ASN1_DN: 'C=de, ST=bavaria, OU=test, CN=test,
E=test at test.de'
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: issuer crl not found
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[1] 213.179.141.8
#1: issuer crl not found
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-L2TP_test-zert_0__gw-sn_defaultroute-10.0.0.1_24"[1] 213.179.141.8
#1: deleting connection
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0" instance with peer
213.179.141.8 {isakmp=#0/ipsec=#0}
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-L2TP_test-zert_0__gw-sn_defaultroute-10.0.0.1_24"[1] 213.179.141.8
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 31 14:37:30 defendo204 pluto[20646]:
"l2tp_0-L2TP_test-zert_0__gw-sn_defaultroute-10.0.0.1_24"[1] 213.179.141.8
#1: sent MR3, ISAKMP SA established
Mar 31 14:37:31 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.8
#2: responding to Quick Mode
Mar 31 14:37:31 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.8
#2: transition from state (null) to state STATE_QUICK_R1
Mar 31 14:37:32 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.8
#2: discarding duplicate packet; already STATE_QUICK_R1
Mar 31 14:37:38 defendo204 last message repeated 2 times
Mar 31 14:37:41 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.8
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 31 14:37:41 defendo204 pluto[20646]:
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0"[2] 213.179.141.8
#2: IPsec SA established {ESP=>0x08ae7f33 <0xfbe18833}

The connection with the correct certificate and the wrong config is
"l2tp_0-L2TP_test-zert_0__gw-sn_defaultroute-10.0.0.1_24". The connection
with no cert but correct config is
"l2tp_0-test_wolfi-zert_0__gw-gw_defaultroute-0.0.0.0".

Thank you in advance
Matthias



More information about the Users mailing list