system/5221: ipsecctl uses proposals not specified in ipsec.conf

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

system/5221: ipsecctl uses proposals not specified in ipsec.conf

Chris Ruff-2
>Number:         5221
>Category:       system
>Synopsis:       ipsecctl is sending proposals to isakmpd.fifo that are not specified in
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 04 15:30:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     John Ruff
>Release:        4.0-current
>Organization:
net
>Environment:
        <machine, os, target, libraries>
        System      : OpenBSD 4.0
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:

When constructing an ipsec.conf for use with ipsecctl and isakmpd additional
proposals are sent by 'ipsecctl -f /etc/ipsec.conf' to isakmpd.fifo that are not present in
ipsec.conf.
       
>How-To-Repeat:

Create a simple ipsec.conf file which specifies 'main auth hmac-sha1 enc aes group modp1024'
and then invoke 'isakmpd -KL; ipsecctl -f /etc/ipsec.conf'.  Looking at the resulting
isakmpd.pcap will show your host sending an IKE packet with proposals which suggest using
RSA_SIG.  You can also invoke 'ipsecctl -vnf /etc/ipsec.conf' and see the transform
"AES-SHA-RSA_SIG" being added like so:

C add [mm-y.y.y.y]:Transforms=AES-SHA-RSA_SIG force

---------------------------[/etc/ipsec.conf]---------------------------
local_gw = "x.x.x.x"
remote_gw = "y.y.y.y"

ike esp from $local_gw to $remote_gw \
        main auth hmac-sha1 enc aes group modp1024 \
        psk vpnkey123
ike esp from 192.168.0.0/24 to 192.168.1.0/24 peer $remote_gw \
        quick auth hmac-sha1 enc aes group modp1024
-------------------------[END /etc/ipsec.conf]-------------------------

Using tcpdump to reveal the contents of /var/run/isakmpd.pcap will show the following IKE
packet sent from your gateway.

22:08:26.836190 x.x.x.x.500 > y.y.y.y.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
        cookie: 0a3db5cb5c374757->0000000000000000 msgid: 00000000 len: 256
        payload: SA len: 128 DOI: 1(IPSEC) situation: IDENTITY_ONLY
            payload: PROPOSAL len: 116 proposal: 1 proto: ISAKMP spisz: 0 xforms: 3
                payload: TRANSFORM len: 36
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute KEY_LENGTH = 128
                payload: TRANSFORM len: 36
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = RSA_SIG
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute KEY_LENGTH = 128
                payload: TRANSFORM len: 36
                    transform: 2 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute HASH_ALGORITHM = SHA
                        attribute AUTHENTICATION_METHOD = RSA_SIG
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 3600
                        attribute KEY_LENGTH = 128
        payload: VENDOR len: 20 (supports OpenBSD-4.0)
        payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
        payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
        payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
        payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 284)

Notice transform 1 & 2 are additional proposals using "AUTHENTICATION_METHOD = RSA_SIG"
although it was never specified in ipsec.conf and my gateway is not configured to use it.
       
>Fix:
       

>Release-Note:
>Audit-Trail:
>Unformatted:
 ipsec.conf.