Quantcast

iked/IKEv2 issue with 6.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

iked/IKEv2 issue with 6.1

Igor V. Gubenko
Hello everyone,

OpenIKED just doesn't seem to like me much.

I managed to get it working around 5.8 but from upgrade to upgrade I
encountered different issues.

I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA
auth.

They were working fine on 6.0. However the same configuration now fails
with 6.1 - iked refuses to start.

Config follows below:

---------------------

local_ip = "my_ext_ip"
local_net = "172.16.0.0/20"

ikev2 "KBweb" \
        active ipcomp esp \
        from $local_net to 10.33.33.0/27 \
        local $local_ip \
        peer A.B.C.D \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid $local_ip \
        dstid a.dns.addr \
        psk "some psk"


ikev2 "KBDB" \
        active ipcomp esp \
        from $local_net to 10.34.34.0/27 \
        local $local_ip \
        peer E.F.G.H \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid $local_ip \
        dstid e.dns.addr \
        psk "some psk"


ikev2 "PU" \
        active ipcomp esp \
        from $local_net to net1/mask1 \
        from $local_net to net2/mask2 \
        from $local_net to 10.6.0.0/16 \
        local $local_ip \
        peer I.J.K.L \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some
dept/CN=some_cn_fqdn" \
        dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some
dept2/CN=some_cn_fqdn2"

------------------


root@HomatEsh2 (1 jobs) /usr/src # iked -6 -d -vvvv
local_ip = "my_ext_ip"

local_net = "172.16.0.0/20"

set_policy: found pubkey for /etc/iked/pubkeys/fqdn/a.dns.addr
ikev2 "KBweb" active esp inet from 172.16.0.0/20 to 10.33.33.0/27 local
my_ext_ip peer A.B.C.D ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 srcid my_ext_ip dstid A.B.C.D lifetime 10800 bytes
536870912 psk 0xlong_hex_num
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/e.dns.addr
ikev2 "KBDB" active esp inet from 172.16.0.0/20 to 10.34.34.0/27 local
my_ext_ip peer E.F.G.H ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 srcid my_ext_ip dstid E.F.G.H lifetime 10800 bytes
536870912 psk 0xlong_hex_num
set_policy: unknown type = 9
create_ike: set_policy failed
/etc/iked.conf: 39: create_ike failed
/etc/iked.conf: loaded 2 configuration rules
ca exiting, pid 5607
ikev2 exiting, pid 80211
control exiting, pid 62559

So it seems to fail on parsing or using the x50? cert notation, which
still works on my primary 6.0 machine.


Thank you for any help,

- Igor


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iked/IKEv2 issue with 6.1

Reyk Floeter-2
On Thu, Apr 20, 2017 at 04:03:38PM -0400, Igor V. Gubenko wrote:

> Hello everyone,
>
> OpenIKED just doesn't seem to like me much.
>
> I managed to get it working around 5.8 but from upgrade to upgrade I
> encountered different issues.
>
> I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA
> auth.
>
> They were working fine on 6.0. However the same configuration now fails
> with 6.1 - iked refuses to start.
>

>         srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some
> dept/CN=some_cn_fqdn" \
>         dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some
> dept2/CN=some_cn_fqdn2"
>

> set_policy: unknown type = 9

Thanks for the good report!

It seems that using ASN1_DN IDs got broken with parse.y 1.62.
Does the attached diff fix your problem?

Reyk

Index: sbin/iked/parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.64
diff -u -p -u -p -r1.64 parse.y
--- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64
+++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000
@@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
 {
  char keyfile[PATH_MAX];
  const char *prefix = NULL;
- EVP_PKEY *key;
+ EVP_PKEY *key = NULL;
 
  switch (type) {
  case IKEV2_ID_IPV4:
@@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
  case IKEV2_ID_UFQDN:
  prefix = "ufqdn";
  break;
+ case IKEV2_ID_ASN1_DN:
+ /* public key authentication is not supported with ASN.1 IDs */
+ goto done;
  default:
  /* Unspecified ID or public key not supported for this type */
  log_debug("%s: unknown type = %d", __func__, type);
@@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
     keyfile);
  }
 
+ done:
  if (set_policy_auth_method(keyfile, key, pol) < 0) {
  EVP_PKEY_free(key);
  log_warnx("%s: failed to set policy auth method for %s",

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iked/IKEv2 issue with 6.1

Igor V. Gubenko
Thank you, the patch appears to work. I haven't fully tested
connecting/establishing connections, so I'll send another update.

Prior to the patch, iked also complained about lack of public keys for
PSK connections 1 and 2 (in /etc/iked/pubkeys/fqdn/)
It doesn't mind them being absent anymore though.

- Igor

On 4/20/17 5:44 PM, Reyk Floeter wrote:

> --- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64
> +++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000
> @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
>  {
>   char keyfile[PATH_MAX];
>   const char *prefix = NULL;
> - EVP_PKEY *key;
> + EVP_PKEY *key = NULL;
>  
>   switch (type) {
>   case IKEV2_ID_IPV4:
> @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
>   case IKEV2_ID_UFQDN:
>   prefix = "ufqdn";
>   break;
> + case IKEV2_ID_ASN1_DN:
> + /* public key authentication is not supported with ASN.1 IDs */
> + goto done;
>   default:
>   /* Unspecified ID or public key not supported for this type */
>   log_debug("%s: unknown type = %d", __func__, type);
> @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
>      keyfile);
>   }
>  
> + done:
>   if (set_policy_auth_method(keyfile, key, pol) < 0) {
>   EVP_PKEY_free(key);
>   log_warnx("%s: failed to set policy auth method for %s",

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: iked/IKEv2 issue with 6.1

Igor V. Gubenko
Thanks again. The connections are all working.


On 4/20/17 8:54 PM, Igor V. Gubenko wrote:

> Thank you, the patch appears to work. I haven't fully tested
> connecting/establishing connections, so I'll send another update.
>
> Prior to the patch, iked also complained about lack of public keys for
> PSK connections 1 and 2 (in /etc/iked/pubkeys/fqdn/)
> It doesn't mind them being absent anymore though.
>
> - Igor
>
> On 4/20/17 5:44 PM, Reyk Floeter wrote:
>> --- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64
>> +++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000
>> @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
>>  {
>>   char keyfile[PATH_MAX];
>>   const char *prefix = NULL;
>> - EVP_PKEY *key;
>> + EVP_PKEY *key = NULL;
>>  
>>   switch (type) {
>>   case IKEV2_ID_IPV4:
>> @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
>>   case IKEV2_ID_UFQDN:
>>   prefix = "ufqdn";
>>   break;
>> + case IKEV2_ID_ASN1_DN:
>> + /* public key authentication is not supported with ASN.1 IDs */
>> + goto done;
>>   default:
>>   /* Unspecified ID or public key not supported for this type */
>>   log_debug("%s: unknown type = %d", __func__, type);
>> @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
>>      keyfile);
>>   }
>>  
>> + done:
>>   if (set_policy_auth_method(keyfile, key, pol) < 0) {
>>   EVP_PKEY_free(key);
>>   log_warnx("%s: failed to set policy auth method for %s",

Loading...