Ubuntu
strongswan package

  1. Bug #1734207
  2. Comment #8

Comment 8 for bug 1734207

Revision history for this message
Simon Déziel (sdeziel) wrote :

Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.

west01:

root@west01:~# grep foo /etc/hosts
169.254.6.1 foo.bar.org

root@west01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-base
  authby=psk
  keyexchange=ikev1
  mobike=no
  type=transport
  left=169.254.6.2

conn lp-east01
  also=lp-base
  right=foo.bar.org
  <email address hidden>
  auto=add

conn lp-rw
  also=lp-base
  right=%any
  auto=add

root@west01:~# cat /etc/ipsec.secrets
169.254.6.2 @foo.bar.org : PSK "PSK-EAST01"
%any : PSK "PSK-RW"

east01:

root@east01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-east01
  authby=psk
  keyexchange=ikev1
  mobike=no
  type=transport
  left=169.254.6.2
  right=foo.bar.org
  <email address hidden>
  auto=start

root@east01:~# cat /etc/ipsec.secrets
%any : PSK "PSK-EAST01"

When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect:

root@east01:~# service strongswan restart
root@east01:~# journalctl -fu strongswan | grep -m1 malformed
Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request

As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:

Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.

west01:

root@west01:~# grep foo /etc/hosts
169.254.6.1 foo.bar.org

root@west01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-base
  authby=psk
  keyexchange=ikev1
  mobike=no
  type=transport
  left=169.254.6.2

conn lp-east01
  also=lp-base
  right=foo.bar.org
  <email address hidden>
  auto=add

conn lp-rw
  also=lp-base
  right=%any
  auto=add

root@west01:~# cat /etc/ipsec.secrets
169.254.6.2 @foo.bar.org : PSK "PSK-EAST01"
%any : PSK "PSK-RW"

east01:

root@east01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-east01
  authby=psk
  keyexchange=ikev1
  mobike=no
  type=transport
  left=169.254.6.2
  right=foo.bar.org
  <email address hidden>
  auto=start

root@east01:~# cat /etc/ipsec.secrets
%any : PSK "PSK-EAST01"

When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect:

root@east01:~# service strongswan restart
root@east01:~# journalctl -fu strongswan | grep -m1 malformed
Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request

As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:

root@east01:~# service strongswan restart
root@east01:~# journalctl -u strongswan | tail
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] scheduling reauthentication in 9973s
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] maximum IKE_SA lifetime 10513s
Dec 20 18:14:36 east01 charon[2543]: 06[ENC] generating QUICK_MODE request 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 06[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (220 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[NET] received packet: from 169.254.6.2[500] to 169.254.6.1[500] (172 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] parsed QUICK_MODE response 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] generating QUICK_MODE request 2756199350 [ HASH ]
Dec 20 18:14:36 east01 charon[2543]: 05[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (60 bytes)