Bug #4208
closedP1 rekeying with IKEv1 failing with no proposal chosen / invalid ID info
0%
Description
When P1 rekeys with IKEv1, in certain circumstances (which aren't entirely clear) it'll end up failing with no proposal chosen. One example here with logs:
https://forum.pfsense.org/index.php?topic=86621.0
The same thing happened to one of my VPNs today where it was 2.2 on both ends, so it also applies to strongswan to strongswan connections.
Along the same lines, but a slightly different symptom, it may also do the following:
Jan 12 21:14:05 charon: 14[KNL] creating rekey job for ESP CHILD_SA with SPI cc825a3b and reqid {4} Jan 12 21:14:05 charon: 16[ENC] generating QUICK_MODE request 3257512338 [ HASH SA No KE ID ID Jan 12 21:14:05 charon: 16[ENC] parsed INFORMATIONAL_V1 request 1371235738 [ HASH N(INVAL_ID) ] Jan 12 21:14:05 charon: 16[IKE] <con3000|410> received INVALID_ID_INFORMATION error notify Jan 12 21:14:05 charon: 16[IKE] received INVALID_ID_INFORMATION error notify
Where both sides end up with more or less the same logs.
I shortened the P1 lifetime on some of our test VPNs, and a couple of my home production ones, to see if it's reliably replicable. Thus far it seems a bit hit and miss. It doesn't appear to affect IKEv2 at all.
Updated by Chris Buechler over 9 years ago
adding some details from what I've found thus far.
- It's not universal, but it is replicable. It's not replicable on demand, though, from what I've found thus far.
- Reducing the lifetime significantly seems to either eliminate, or delay the issue well beyond the first rekey at least. Seems the scenario for kitdavis in the linked forum post is it happens on the first P1 rekey. Testing with a 1200 P1 lifetime and 600 P2, I have several tunnels that have rekeyed a number of times without exhibiting the issue.
- This started at some point last week, judging from log history exhibiting the issue. I haven't been able to narrow down the specific day.
- It doesn't seem to be specific to any particular config parameters. There are reports of it affecting main and aggressive modes, various ciphers, hash, lifetime, etc. None of the affected ones I've seen or heard of are using NAT-T, but that's probably more a function of most site to site VPNs not using NAT-T. None of the systems that have exhibited the issue have any NAT-T VPNs on them.
Updated by Chris Buechler over 9 years ago
- Assignee changed from Chris Buechler to Ermal Luçi
I haven't found a means of reliably replicating this with shorter lifetimes. It's either some combination of things that I haven't been able to replicate, or specific to longer lifetimes. Hoping we can get access to kitdavis' system shortly since it's seemingly more reliably replicable there, I reached out to him.
Ermal and I discussed, he's looking into changes last week to see if anything sticks out, in our code and strongswan 5.2.1->5.2.2.
Updated by Ermal Luçi over 9 years ago
If the present builds do not work.
These commits seem at fault
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=11b42933bf3896acaa7fb2efef8689c04d9224b1
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1201ddcbc5dda4849524f08a0923071d1b15b387
Which need to be reverted, especially the first one.
Updated by Ermal Luçi over 9 years ago
The first one hsa been reverted and is present on new snaps.
Updated by Chris Buechler over 9 years ago
strongswan has been reverted back to 5.2.1 to see if that resolves the issue, as other possibilities seem to have been exhausted.
Updated by Chris Buechler over 9 years ago
- Status changed from Confirmed to Feedback
downgrade to strongswan 5.2.1 (with cherry-picked security fixes from 5.2.2) looks to have fixed this issue. Leaving to feedback for now
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2 to 2.2.1
that did fix the issue for 2.2, pushing to 2.2.1 for getting the issue fixed in strongswan 5.2.2.
Updated by Chris Buechler about 9 years ago
- Target version changed from 2.2.1 to 2.2.2
Updated by Chris Buechler about 9 years ago
- Target version changed from 2.2.2 to 2.2.3
Updated by Chris Buechler almost 9 years ago
- Status changed from Feedback to Resolved
- Target version deleted (
2.2.3)
this was fixed in strongswan 5.3.0