Discussion:
[strongSwan] IKE update does not correctly change the SA traffic selector in GRE transport mode
Frederic Griffoul
2018-10-31 14:03:17 UTC
Permalink
Dear all,

I'm testing strongswan-5.7.1 on a Linux Ubuntu-16.04 server to support
GRE-over-IPSEC tunnels with remote peers, the public address of which may
change from time to time. I thus use 'dynamic[gre]' traffic selector and
transport mode tunnels. When the remote peer address changes, strongswan
correctly processes the XFRM_MSG_MAPPING message, and updates the xfrm SA
and SP in the Linux kernel, except the traffic selector. This results
in XfrmInStateMismatch errors when receiving packets from the remote peers.
I've attached the swanctl.conf and the charon logs.

Is it a known issue? Or did I miss something?

Before changing the remote peer address, remote address is 2.2.2.254

***@ubuntu-xenial:/ivoctl/vagrant# swanctl -l
dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r*
local 'dc' @ 192.168.2.1[4500]
remote 'lan2' @ 2.2.2.254[4500]
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384
established 439s ago
lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256
installed 439s ago
in c5dd4c0b, 38544 bytes, 438 packets, 0s ago
out c4361bc0, 38544 bytes, 438 packets, 0s ago
local 192.168.2.1/32[gre]
remote 2.2.2.254/32[gre]

***@ubuntu-xenial:/ivoctl/vagrant# ip -s x s l
src 192.168.2.1 dst 2.2.2.254
proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1be, bitmap 0x00000000
sel src 192.168.2.1/32 dst 2.2.2.254/32 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
39248(bytes), 446(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
src 2.2.2.254 dst 192.168.2.1
proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay esn context:
seq-hi 0x0, seq 0x1be, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
sel src 2.2.2.254/32 dst 192.168.2.1/32 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
39248(bytes), 446(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0

After changing the address from 2.2.2.254 to 2.2.2.222, everything is
updated, except the SA selector:

***@ubuntu-xenial:/ivoctl/vagrant# swanctl -l
dc_lan2: #1, ESTABLISHED, IKEv2, 17f7b73e0a357e0d_i 2136e2e04936ce5e_r*
local 'dc' @ 192.168.2.1[4500]
remote 'lan2' @ 2.2.2.222[4500]
AES_GCM_16-256/PRF_HMAC_SHA2_384/ECP_384
established 529s ago
lan2_dc: #1, reqid 1, INSTALLED, TRANSPORT-in-UDP, ESP:AES_GCM_16-256
installed 529s ago
in c5dd4c0b, 45848 bytes, 521 packets, 58s ago
out c4361bc0, 42504 bytes, 483 packets, 38s ago
local 192.168.2.1/32[gre]
remote 2.2.2.222/32[gre]

***@ubuntu-xenial:/ivoctl/vagrant# ip -s x s l
src 192.168.2.1 dst 2.2.2.222
proto esp spi 0xc4361bc0(3291880384) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000000 flag (0x00000000)
aead rfc4106(gcm(aes))
0x2db3e71cf4ee4d1600ff0b173b2480573b1ad30a3c3b8bd4b47f2d7cbb7fbfb5c41e3e6d
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x1e3, bitmap 0x00000000
*sel src 192.168.2.1/32 <http://192.168.2.1/32> dst 2.2.2.254/32
<http://2.2.2.254/32> uid 0*
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
42504(bytes), 483(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0
src 2.2.2.222 dst 192.168.2.1
proto esp spi 0xc5dd4c0b(3319614475) reqid 1(0x00000001) mode
transport
replay-window 0 seq 0x00000010 flag (0x00000000)
aead rfc4106(gcm(aes))
0x66973d4ffe9290d89a4e5ad49c820daf586d4e4a8d745d81ef77f13177620036614c6da3
(288 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay esn context:
seq-hi 0x0, seq 0x210, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
ffffffff ffffffff ffffffff ffffffff
*sel src 2.2.2.254/32 <http://2.2.2.254/32> dst 192.168.2.1/32
<http://192.168.2.1/32> uid 0*
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
46464(bytes), 528(packets)
add 2018-10-31 13:31:09 use 2018-10-31 13:31:10
stats:
replay-window 0 replay 0 failed 0

Best regards,

Fred.
Tobias Brunner
2018-10-31 14:48:22 UTC
Permalink
Hi Fred,
Post by Frederic Griffoul
When the remote peer address changes,
strongswan correctly processes the XFRM_MSG_MAPPING message, and updates
the xfrm SA and SP in the Linux kernel, except the traffic selector.
Yes, updating that selector was, in fact, missing in the responsible
function. I pushed a potential fix to the kernel-netlink-update-sel
branch of our repository [1] (only compile tested). Let me know if that
works for you.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/kernel-netlink-update-sel
Frederic Griffoul
2018-10-31 15:04:22 UTC
Permalink
Yes, it works. Thanks Tobias.

Will it be included in an upcoming Strongswan release?

Br,

Fred
Post by Tobias Brunner
Hi Fred,
Post by Frederic Griffoul
When the remote peer address changes,
strongswan correctly processes the XFRM_MSG_MAPPING message, and updates
the xfrm SA and SP in the Linux kernel, except the traffic selector.
Yes, updating that selector was, in fact, missing in the responsible
function. I pushed a potential fix to the kernel-netlink-update-sel
branch of our repository [1] (only compile tested). Let me know if that
works for you.
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/kernel-netlink-update-sel
Tobias Brunner
2018-10-31 15:14:58 UTC
Permalink
Hi Fred,
Post by Frederic Griffoul
Yes, it works.
Great, thanks for testing.
Post by Frederic Griffoul
Will it be included in an upcoming Strongswan release?
Yes, will be included in the next release.

Regards,
Tobias

Loading...