lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20140915164731.GA12524@master>
Date:	Mon, 15 Sep 2014 11:47:31 -0500
From:	Joe M <joe9mail@...il.com>
To:	Christophe Gouault <christophe.gouault@...nd.com>
Cc:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: loading ip_vti breaks IPSec connection

Hello Christophe,

Thank you for responding.

> I never experienced such problem.

Can you please share your configuration?

Do you have "mark=" in ipsec.conf? Do you use iptables rules to set
the mark? What are your vti tunnel's ikey and okey values? How do the
vti tunnel's remote and local correspond to the values in ipsec.conf
(when the client's have different public ip's and subnets)?

I use a custom kernel (gentoo distro), and got the seed from
kernel-seeds.org. I am also attaching my kernel config (config.gz) if
you want to check it out.

uname -a
Linux master 3.16.2-dirty #89 SMP PREEMPT Sun Sep 14 14:30:59 CDT 2014
x86_64 Intel(R) Pentium(R) CPU G620 @ 2.60GHz GenuineIntel GNU/Linux

It is dirty as I have been trying to add printk's to figure out ip_vti
behaviour. I can also try tthe latest rc kernel if that is what you
are using.

> By the way, was your IPsec tunnel already established when you
> executed your first ping? the first packet that triggers an IKE
> negotiation is always lost.

Without loading ip_vti (and mark= in ipsec.conf), I can get the pings
to work through the IPSec tunnel. I think I am doing something wrong
with the vti setup. Not setting the mark, okey, ikey or iptables rules
properly.

I am also attaching the note I sent to Mr. Steffen looking for
help. It has my configuration and xfrm policy and state.

I am using strongswan 5.2.0. Below is the gentoo configuration of
strongswan, if it helps.

eix --exact strongswan
[I] net-misc/strongswan
     Available versions:  5.1.3 (~)5.2.0-r1{tbz2} {+caps +constraints
     curl debug dhcp eap farp gcrypt ldap mysql networkmanager
     +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish
     strongswan_plugins_ccm strongswan_plugins_ctr
     strongswan_plugins_gcm strongswan_plugins_ha
     strongswan_plugins_ipseckey +strongswan_plugins_led
     +strongswan_plugins_lookip strongswan_plugins_ntru
     strongswan_plugins_padlock strongswan_plugins_rdrand
     +strongswan_plugins_systime-fix strongswan_plugins_unbound
     +strongswan_plugins_unity +strongswan_plugins_vici
     strongswan_plugins_whitelist}
     Installed versions:  5.2.0-r1{tbz2}(09:08:20 AM 09/15/2014)(caps
     constraints ldap non-root openssl pam strongswan_plugins_led
     strongswan_plugins_lookip strongswan_plugins_systime-fix
     strongswan_plugins_unity strongswan_plugins_vici -curl -debug
     -dhcp -eap -farp -gcrypt -mysql -networkmanager -pkcs11 -sqlite
     -strongswan_plugins_blowfish -strongswan_plugins_ccm
     -strongswan_plugins_ctr -strongswan_plugins_gcm
     -strongswan_plugins_ha -strongswan_plugins_ipseckey
     -strongswan_plugins_ntru -strongswan_plugins_padlock
     -strongswan_plugins_rdrand -strongswan_plugins_unbound
     -strongswan_plugins_whitelist)
     Homepage:            http://www.strongswan.org/
     Description:         IPsec-based VPN solution focused on security
     and ease of use, supporting IKEv1/IKEv2 and MOBIKE

equery uses strongswan
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-misc/strongswan-5.2.0-r1:
 U I
 + + caps                           : Use Linux capabilities library
 to control privilege 
 + + constraints                    : Enable advanced X.509 constraint
 checking plugin. 
 - - curl                           : Add support for client-side URL
 transfer library 
 - - debug                          : Enable extra debug codepaths,
 like asserts and extra output. If you want to get meaningful
 backtraces see 
                                      http://www.gentoo.org/proj/en/qa/backtraces.xml 
 - - dhcp                           : Enable server support for
 querying virtual IP addresses for clients from a DHCP server. (IKEv2
 only) 
 - - eap                            : Enable support for the different
 EAP modules that is supported. 
 - - farp                           : Enable faking of ARP responses
 for virtual IP addresses assigned to clients. (IKEv2 only) 
 - - gcrypt                         : Enable dev-libs/libgcrypt plugin
 which provides 3DES, AES, Blowfish, Camellia, CAST, DES, Serpent and
 Twofish ciphers along with MD4, MD5 and 
                                      SHA1/2 hash algorithms, RSA and
                                      DH groups 1,2,5,14-18 and
                                      22-24(4.4+). Also includes a
                                      software random number
                                      generator. 
 + + ldap                           : Add LDAP support (Lightweight
 Directory Access Protocol) 
 - - mysql                          : Add mySQL Database support
 - - networkmanager                 : Enable net-misc/networkmanager support
 + + non-root                       : Force IKEv1/IKEv2 daemons to
 normal user privileges. This might impose some restrictions mainly to
 the IKEv1 daemon. Disable only if you really require superuser privileges.
 + + openssl                        : Enable dev-libs/openssl plugin
 which is required for Elliptic Curve Cryptography (DH groups
 19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia,
 CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2
 hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+)
 dev-libs/openssl has to be compiled with USE="-bindist". 
 + + pam                            : Add support for PAM (Pluggable
 Authentication Modules) - DANGEROUS to arbitrarily flip 
 - - pkcs11                         : Enable pkcs11 support.
 - - sqlite                         : Add support for sqlite - embedded sql database
 - - strongswan_plugins_blowfish    : Enable support for the blowfish plugin.
 - - strongswan_plugins_ccm         : Enable support for the ccm plugin.
 - - strongswan_plugins_ctr         : Enable support for the ctr plugin.
 - - strongswan_plugins_gcm         : Enable support for the gcm plugin.
 - - strongswan_plugins_ha          : Enable support for the ha plugin.
 - - strongswan_plugins_ipseckey    : Enable support for the ipseckey plugin.
 + + strongswan_plugins_led         : Enable support for the led plugin.
 + + strongswan_plugins_lookip      : Enable support for the lookip plugin.
 - - strongswan_plugins_ntru        : Enable support for the ntru plugin.
 - - strongswan_plugins_padlock     : Enable support for the padlock plugin.
 - - strongswan_plugins_rdrand      : Enable support for the rdrand plugin.
 + + strongswan_plugins_systime-fix : Enable support for the systime-fix plugin.
 - - strongswan_plugins_unbound     : Enable support for the unbound plugin.
 + + strongswan_plugins_unity       : Enable support for the unity plugin.
 + + strongswan_plugins_vici        : Enable support for the vici plugin.
 - - strongswan_plugins_whitelist   : Enable support for the whitelist plugin.


Thanks again and Sorry for the bother,
Joe


Download attachment "config.gz" of type "application/octet-stream" (18895 bytes)

Download attachment "note-for-vti-help.org" of type "application/vnd.lotus-organizer" (3532 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ