From: SourceForge.net <no...@so...> - 2007-02-14 21:15:26
|
Bugs item #1649260, was opened at 2007-01-31 17:46 Message generated for change (Comment added) made by unclepedro29 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1649260&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Uncle Pedro (unclepedro29) Assigned to: Nobody/Anonymous (nobody) Summary: ISAKMP P1 delete notifications cause P2 SAs to be deleted Initial Comment: Phase1 PFS requires that a Phase1 (IKE) SA is allowed to protect at most 1 Phase2 (IPsec) SA negotiation. The peer initiates an IKE negotiation followed by an IPsec negotiation -- both completing successfully. After the peer sends Quick Mode 3, it then sends an ISAKMP delete SA notification for the IKE SA that it is deleting -- that is, the one it just created and used to create the IPsec SA -- as is required by Phase1 PFS. Racoon receives this ISAKMP delete notification and deletes the IKE SA _and_ all of the IPsec SAs it just created. Thus, traffic is unable to flow. This behavior is obviously incorrect. Below is the tail of the log that shows the reception of an ISAKMP delete notification followed by racoon deleting both the IKE and IPsec SAs. It is clear that the ISAKMP delete notification is for an IKE SA with cookies f6b94dba62329819:a26028074c1c50d6 as seen in this post-crypto packet dump: 2007-01-31 16:59:02: DEBUG: f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c 0c000014 33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001 f6b94dba 62329819 a2602807 4c1c50d6 To see this packet broken down and annotated, please refer to the attached file delete_notif_breakdown.txt. Information regarding SAs created immediately prior to the reception of the aforementioned ISAKMP delete notification: The IKE SA i-cookie:r-cookie f6b94dba62329819:a26028074c1c50d6 The IPsec SA SPIs --Inbound-- spi=3876058204 (0xe707f45c) (from the log...) 2007-01-31 16:59:01: DEBUG: peer's single bundle: 2007-01-31 16:59:01: DEBUG: (proto_id=ESP spisize=4 spi=e707f45c spi_p=00000000 encmode=Tunnel reqid=0:0) 2007-01-31 16:59:01: DEBUG: (trns_id=AES encklen=128 authtype=254) --Outbound-- spi=177458389 (0xa93ccd5) (from the log...) 2007-01-31 16:59:01: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 30.0.0.101[0]->30.0.0.104[0] spi=177458389(0xa93ccd5) <-- Begin log snippet --> 2007-01-31 16:59:02: DEBUG: === 2007-01-31 16:59:02: DEBUG: 76 bytes message received from 30.0.0.101[500] to 30.0.0.104[500] 2007-01-31 16:59:02: DEBUG: f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c aeb0fb73 bdb33a8f 1e37ee2b ed4cbfa2 db7145ac 70c93739 4e61e564 bd3728d1 ccff1cb8 d35e8c07 b1796b2b 30b8de6d 2007-01-31 16:59:02: DEBUG: receive Information. 2007-01-31 16:59:02: DEBUG: compute IV for phase2 2007-01-31 16:59:02: DEBUG: phase1 last IV: 2007-01-31 16:59:02: DEBUG: dec3c67a 9ed57347 38bfce07 2007-01-31 16:59:02: DEBUG: hash(md5) 2007-01-31 16:59:02: DEBUG: encryption(des) 2007-01-31 16:59:02: DEBUG: phase2 IV computed: 2007-01-31 16:59:02: DEBUG: aa911b21 c8551d85 2007-01-31 16:59:02: DEBUG: begin decryption. 2007-01-31 16:59:02: DEBUG: encryption(des) 2007-01-31 16:59:02: DEBUG: IV was saved for next processing: 2007-01-31 16:59:02: DEBUG: b1796b2b 30b8de6d 2007-01-31 16:59:02: DEBUG: encryption(des) 2007-01-31 16:59:02: DEBUG: with key: 2007-01-31 16:59:02: DEBUG: 2a21eae1 2b20f798 2007-01-31 16:59:02: DEBUG: decrypted payload by IV: 2007-01-31 16:59:02: DEBUG: aa911b21 c8551d85 2007-01-31 16:59:02: DEBUG: decrypted payload, but not trimed. 2007-01-31 16:59:02: DEBUG: 0c000014 33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001 f6b94dba 62329819 a2602807 4c1c50d6 2007-01-31 16:59:02: DEBUG: padding len=215 2007-01-31 16:59:02: DEBUG: skip to trim padding. 2007-01-31 16:59:02: DEBUG: decrypted. 2007-01-31 16:59:02: DEBUG: f6b94dba 62329819 a2602807 4c1c50d6 08100501 38bfce07 0000004c 0c000014 33cab50d d0164719 1657785d c921cfa3 0000001c 00000001 01100001 f6b94dba 62329819 a2602807 4c1c50d6 2007-01-31 16:59:02: DEBUG: IV freed 2007-01-31 16:59:02: DEBUG: HASH with: 2007-01-31 16:59:02: DEBUG: 38bfce07 0000001c 00000001 01100001 f6b94dba 62329819 a2602807 4c1c50d6 2007-01-31 16:59:02: DEBUG: hmac(hmac_md5) 2007-01-31 16:59:02: DEBUG: HASH computed: 2007-01-31 16:59:02: DEBUG: 33cab50d d0164719 1657785d c921cfa3 2007-01-31 16:59:02: DEBUG: hash validated. 2007-01-31 16:59:02: DEBUG: begin. 2007-01-31 16:59:02: DEBUG: seen nptype=8(hash) 2007-01-31 16:59:02: DEBUG: seen nptype=12(delete) 2007-01-31 16:59:02: DEBUG: succeed. 2007-01-31 16:59:02: DEBUG: delete payload for protocol ISAKMP 2007-01-31 16:59:02: INFO: purging ISAKMP-SA spi=f6b94dba62329819:a26028074c1c50d6. 2007-01-31 16:59:02: DEBUG: call pfkey_send_dump 2007-01-31 16:59:02: DEBUG: an undead schedule has been deleted. 2007-01-31 16:59:02: DEBUG: IV freed 2007-01-31 16:59:02: INFO: purged IPsec-SA spi=3876058204. // spi=0xe707f45c 2007-01-31 16:59:02: INFO: purged IPsec-SA spi=177458389. // spi=0xa93ccd5 2007-01-31 16:59:02: INFO: purged ISAKMP-SA spi=f6b94dba62329819:a26028074c1c50d6. 2007-01-31 16:59:02: DEBUG: purged SAs. 2007-01-31 16:59:02: DEBUG: get pfkey DELETE message 2007-01-31 16:59:02: DEBUG: DELETE message is not interesting because the message was originated by me. 2007-01-31 16:59:02: DEBUG: get pfkey DELETE message 2007-01-31 16:59:02: DEBUG: DELETE message is not interesting because the message was originated by me. 2007-01-31 16:59:03: INFO: ISAKMP-SA deleted 30.0.0.104[500]-30.0.0.101[500] spi:f6b94dba62329819:a26028074c1c50d6 2007-01-31 16:59:03: DEBUG: IV freed <-- End log snippet --> ---------------------------------------------------------------------- >Comment By: Uncle Pedro (unclepedro29) Date: 2007-02-14 16:15 Message: Logged In: YES user_id=1702317 Originator: YES I am attaching a proposed fix for this bug. I've tested the patch and it works for me, but I am definitely NOT sure about whether or not the call to "isakmp_ph1expire()" is a legitimate replacement for "purge_remote()". Thank you. File Added: p1delnotif-cvs.patch ---------------------------------------------------------------------- Comment By: Uncle Pedro (unclepedro29) Date: 2007-01-31 17:47 Message: Logged In: YES user_id=1702317 Originator: YES Adding full log as attachment. File Added: no_p1pfs_support.log ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1649260&group_id=74601 |