Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

esp=<cipher suites> configration not working as expected. #2449 #76

Open
antonymsouza opened this issue Sep 16, 2024 · 0 comments
Open

esp=<cipher suites> configration not working as expected. #2449 #76

antonymsouza opened this issue Sep 16, 2024 · 0 comments

Comments

@antonymsouza
Copy link

Software used: Strongswan 5.9.6, VPP 23.10 + DPDK

First Scenario:
Initiator: esp=aes256-aes192-aes128-sha256-modp3072-modp2048-ecp256
Reponder: esp=aes256-sha256-ecp256

I am getting core dump as shown below. Detailed core dump added to next message

Sep 13 18:12:11 security-gw4 charon-systemd[139949]: parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: DH group MODP_3072 unacceptable, requesting ECP_256
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: SA not found
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: thread 7 received 11
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses:

If I use the proposal like:
Initiator: esp=aes256-aes192-aes128-sha256-ecp256-modp3072-modp2048
Reponder: esp=aes256-sha256-ecp256
Then it works fine. Very strange.

In IKE proposal there is no issue, we can give any order of pfs ciphers in the proposal, and the responder pick the relevant matches and establish tunnel successfully.
Initiator: "aes128-aes192-aes256-sha256-modp2048-modp3072-ecp256"
Responder: aes256-sha256-ecp256
It works fine

Core Dump:
Here is the core dump sequence:
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: DH group MODP_3072 unacceptable, requesting ECP_256
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: SA not found
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: thread 7 received 11
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses:
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234732520]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4)
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4)
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses:
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234732520]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4)
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850]
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:?
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[DMN] killing ourself, received critical signal
Sep 13 18:12:11 security-gw4 charon-systemd[139949]: killing ourself, received critical signal
Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Main process exited, code=killed, status=6/ABRT
Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Failed with result 'signal'.
Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Consumed 1.569s CPU time.
Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Scheduled restart job, restart counter is at 3.
Sep 13 18:12:12 security-gw4 systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Consumed 1.569s CPU time.
Sep 13 18:12:12 security-gw4 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@antonymsouza