Possible bug in IPSec? (was Packets sent with wrong SPI)

Tue, 28 Oct 2008 13:54:52 -0700 

A briefer summary of the problem:

Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16
Router B has one interface: 10.123.0.48/24

When using manual IPSec keying with a single flow between 10.123.0.46
and 10.123.0.48, it works fine.

When I add a flow between 10.100.0.0/16 and 10.123.0.48, traffic from
10.123.0.46 to 10.123.0.48 is encoded with the wrong SPI. The reverse
direction is fine.

Config files and dmesg are below, in my original message.

This appears to be a bug, but what additional information can I
provide to help diagnose it? Can anyone else reproduce this?

-HKS



On Tue, Oct 21, 2008 at 3:13 PM, (private) HKS <[EMAIL PROTECTED]> wrote:
> OpenBSD 4.3.
>
> I'm trying to get a couple IPSec VPNs up and am running into
> increasingly bizarre behavior in my test environment. The current
> issue is that packets are being sent encoded with the wrong SPI.
>
> Router A has two interfaces: 10.123.0.46/24 and 10.100.0.1/16.
> Router B has one interface: 10.123.0.48/24.
>
> I can get A and B encrypting traffic between 10.123.0.46 and
> 10.123.0.48 with no problem, but when I add flows for 10.100.0.0/16
> the SPIs start getting mixed up. Specifically, pings from 10.123.0.46
> (A) to 10.123.0.48 (B) use the wrong SPII am using manual keying to
> eliminate isakmpd as a source of other issues (that were probably my
> fault somehow). The keys are the defaults included in the ipsec.conf
> example since this is a test environment.
>
> Here is router A's ipsec.conf:
> --
> flow esp from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
> 10.123.0.48 type require
> esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002:0x00020001
> authkey 
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
>
> flow esp from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
> esp tunnel from 10.100.0.0/16 to 10.123.0.48 spi 0x00010004:0x00040001
> authkey 
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
> --
>
> Output from router A's ipsecctl -sa looks like you would expect:
> --
> FLOWS:
> flow esp in from 10.123.0.48 to 10.100.0.0/16 peer 10.123.0.48 type require
> flow esp out from 10.100.0.0/16 to 10.123.0.48 peer 10.123.0.48 type require
> flow esp in from 10.123.0.48 to 10.123.0.46 local 10.123.0.46 peer
> 10.123.0.48 type require
> flow esp out from 10.123.0.46 to 10.123.0.48 local 10.123.0.46 peer
> 10.123.0.48 type require
>
> SAD:
> esp tunnel from 10.123.0.46 to 10.123.0.48 spi 0x00010002 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.100.0.0 to 10.123.0.48 spi 0x00010004 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.123.0.48 to 10.123.0.46 spi 0x00020001 auth
> hmac-sha2-256 enc aes
> esp tunnel from 10.123.0.48 to 10.100.0.0 spi 0x00040001 auth
> hmac-sha2-256 enc aes
> --
>
> Attempting to ping 10.123.0.48 from 10.123.0.46 gets no response, and
> tcpdump -i enc0 shows this:
> --
> tcpdump: listening on enc0, link-type ENC
> 09:15:11.230658 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:12.240381 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:13.250028 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> 09:15:14.260702 (authentic,confidential): SPI 0x00010004: 10.123.0.46
>> 10.123.0.48: icmp: echo request (encap)
> --
>
> Which is clearly the wrong SPI. If I try to ping in the reverse
> direction, B sends its packets with the correct SPI while the replies
> are encoded for 0x00010004. Removing the subnet lines from ipsec.conf
> corrects this issue.
>
> Is this a bug in IPsec or something I'm doing wrong?
>
> Thanks for the help. dmesg follows.
>
> -HKS
>
>
> OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
>    [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz ("GenuineIntel"
> 686-class) 2.33 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
> real mem  = 267939840 (255MB)
> avail mem = 251031552 (239MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 12/06/06, BIOS32 rev. 0 @
> 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 12/06/2006
> bios0: VMware, Inc. VMware Virtual Platform
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
> pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #2 is the last bus
> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000
> 0xdc000/0x4000! 0xe0000/0x4000!
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
> wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: <HC2281Q, NCF700G, 1.01> SCSI0 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x00: irq 9
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus 
> disabled
> vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: irq 11
> scsibus1 at mpi0: 16 targets
> ppb1 at pci0 dev 17 function 0 "VMware Virtual PCI-PCI bridge" rev 0x01
> pci2 at ppb1 bus 2
> vic0 at pci2 dev 0 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 10,
> address 00:0c:29:a3:72:c2
> eap0 at pci2 dev 1 function 0 "Ensoniq AudioPCI97" rev 0x02: irq 9
> ac97: codec id 0x43525913 (Cirrus Logic CS4297A rev 3)
> audio0 at eap0
> midi0 at eap0: <AudioPCI MIDI UART>
> ehci0 at pci2 dev 2 function 0 "VMware Virtual EHCI" rev 0x00: irq 5
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "VMware EHCI root hub" rev 2.00/1.00 addr 1
> vic1 at pci2 dev 3 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 11,
> address 00:0c:29:a3:72:cc
> isa0 at piixpcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pmsi0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pmsi0 mux 0
> pcppi0 at isa0 port 0x61
> midi1 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> biomask eb65 netmask ef65 ttymask ffe7
> mtrr: Pentium Pro MTRR support
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0006::0200:5eff:fe00:0102
> nd6_na_input: duplicate IP6 address fe80:0005::0200:5eff:fe00:0101

Reply via email to