system/5224: Unable to specify ID-Type of IPV4_ADDR

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

system/5224: Unable to specify ID-Type of IPV4_ADDR

Chris Ruff-2
>Number:         5224
>Category:       system
>Synopsis:       Using ipsecctl/ipsec.conf I'm unable to specify a local peer ID-Type
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 04 20:00:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     John Ruff
>Release:        4.0-current (GENERIC #1103)
>Organization:
net
>Environment:
       
        System      : OpenBSD 4.0
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:

When implementing a IPSec/VPN to a peer who is using ID-Type IPV4_ADDR to define the local
and remote peer I'm unable to specify ID-Type IPV4_ADDR in the 'srcid' and 'dstid'
parameters within ipsec.conf.  The documentation state that only FQDN & USER_FQDN are
supported.  This results in a IKE Phase-I negotiation error of "INVALID ID INFORMATION".  It
would help immensely to be able to sepecify an ID-Type of IPV4_ADDR in ipsec.conf.  Maybe
something like 'srcid IPV4_ADDR:x.x.x.x'.
       

>How-To-Repeat:

Use ipsecctl/ipsec.conf to initialize a IPSec/VPN tunnel to another peer.  My testing was
done to a IPCop on Linux peer.  No matter if you use 'ike [active|dynamic|passive]' you will
not be able to force your srcid to be of ID-Type IPV4_ADDR.  I've included a snippet from
isakmpd.pcap after running 'isakmpd -KL; ipsecctl -f /etc/ipsec.conf'.  You will notice that
my local peer is presented as a quoted string of ID-Type FQDN.

The local peer is x.x.x.188 and the remote peer is y.y.y.200.

-------------------------[BEGIN isakmpd.pcap]-------------------------
15:11:36.771475 y.y.y.200.500 > x.x.x.188.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
        cookie: b5572ef5ee1dbf22->95453c5005c34a7a msgid: 00000000 len: 76
        payload: ID len: 12 type: IPV4_ADDR = y.y.y.200
        payload: HASH len: 24 [ttl 0] (id 1, len 104)
15:11:36.771864 x.x.x.188.500 > y.y.y.200.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
        cookie: b5572ef5ee1dbf22->95453c5005c34a7a msgid: 00000000 len: 101
        payload: ID len: 21 type: FQDN = "x.x.x.188"
        payload: HASH len: 24
        payload: NOTIFICATION len: 28
            notification: INITIAL CONTACT (b5572ef5ee1dbf22->95453c5005c34a7a) [ttl 0] (id
1, len 129)
15:11:36.790203 y.y.y.200.500 > x.x.x.188.500: [udp sum ok] isakmp v1.0 exchange
INFO
        cookie: b5572ef5ee1dbf22->95453c5005c34a7a msgid: 00000000 len: 40
        payload: NOTIFICATION len: 12
            notification: INVALID ID INFORMATION [ttl 0] (id 1, len 68)
-------------------------[END isakmpd.pcap]-------------------------

       
>Fix:
       

>Release-Note:
>Audit-Trail:
>Unformatted:
 IPV4_ADDR

Reply | Threaded
Open this post in threaded view
|

Re: system/5224: Unable to specify ID-Type of IPV4_ADDR

Chris Ruff-2
Please close this issue.  I made a mistake in my bug report.  ID-Type  
IPV4_ADDR is used for the local peer when 'srcid' is not used at all  
in ipsec.conf.

Thanks
John


On Sep 4, 2006, at 4:00 PM, Gnats wrote:

> Thank you very much for your problem report.
> It has the internal identification `system/5224'.
> The individual assigned to look at your
> report is: bugs.
>
>> Category:       system
>> Responsible:    bugs
>> Synopsis:       Using ipsecctl/ipsec.conf I'm unable to specify a  
>> local peer ID-Type
>> Arrival-Date:   Mon Sep 04 20:00:01 GMT 2006

Reply | Threaded
Open this post in threaded view
|

Re: system/5224: Unable to specify ID-Type of IPV4_ADDR

Chris Ruff-2
In reply to this post by Chris Ruff-2
The following reply was made to PR system/5224; it has been noted by GNATS.

From: John Ruff <[hidden email]>
To: [hidden email], [hidden email]
Cc:  
Subject: Re: system/5224: Unable to specify ID-Type of IPV4_ADDR
Date: Mon, 4 Sep 2006 16:42:18 -0400

 Please close this issue.  I made a mistake in my bug report.  ID-Type  
 IPV4_ADDR is used for the local peer when 'srcid' is not used at all  
 in ipsec.conf.
 
 Thanks
 John
 
 
 On Sep 4, 2006, at 4:00 PM, Gnats wrote:
 
 > Thank you very much for your problem report.
 > It has the internal identification `system/5224'.
 > The individual assigned to look at your
 > report is: bugs.
 >
 >> Category:       system
 >> Responsible:    bugs
 >> Synopsis:       Using ipsecctl/ipsec.conf I'm unable to specify a  
 >> local peer ID-Type
 >> Arrival-Date:   Mon Sep 04 20:00:01 GMT 2006