[strongSwan] Clarification about INVALID_MAJOR_VERSION

Tue, 09 Sep 2014 09:48:12 -0700 

Hi,
IN IKEV2 tahi tests, testing end-node as responder for Receipt of a higher major version number 

As per RFC 5996:
If an endpoint receives a message with a higher major version number,
   it MUST drop the message and SHOULD send an unauthenticated Notify
   message of type INVALID_MAJOR_VERSION containing the highest
   (closest) version number it supports.


IKE_SA_INIT request with major version 3 is sent, charon log shows that 
the header verification failed


/etc/strongswan/ipsec.conf has "keyexchange=ikev2"

-bash-4.2# strongswan start
Starting strongSwan 5.2.0 IPsec [starter]...


  loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random 
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp 
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr 
kernel-netlink resolve socket-default farp stroke vici updown 
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap 
xauth-generic xauth-eap xauth-pam dhcp



_from charon.log_

Sep  8 11:40:01 01[NET] received packet: from 2001:db8:f:1::1[500] to 
2001:db8:1:1::1[500]

Sep  8 11:40:01 01[ENC] parsing header of message
Sep  8 11:40:01 01[ENC] parsing HEADER payload, 337 bytes left
...
Sep  8 11:40:01 01[ENC]   parsing rule 0 IKE_SPI
Sep  8 11:40:01 01[ENC]    => 8 bytes @ 0x3fff580010a8

Sep  8 11:40:01 01[ENC]    0: CC 38 37 F0 27 9B 88 
D4                          .87.'...

Sep  8 11:40:01 01[ENC]   parsing rule 1 IKE_SPI
Sep  8 11:40:01 01[ENC]    => 8 bytes @ 0x3fff580010b0

Sep  8 11:40:01 01[ENC]    0: 00 00 00 00 00 00 00 
00                          ........

Sep  8 11:40:01 01[ENC]   parsing rule 2 U_INT_8
Sep  8 11:40:01 01[ENC]    => 33
Sep  8 11:40:01 01[ENC]   parsing rule 3 U_INT_4
Sep  8 11:40:01 01[ENC]    => 3
Sep  8 11:40:01 01[ENC]   parsing rule 4 U_INT_4
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 5 U_INT_8
Sep  8 11:40:01 01[ENC]    => 34
Sep  8 11:40:01 01[ENC]   parsing rule 6 RESERVED_BIT
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 7 RESERVED_BIT
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 8 FLAG
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 9 FLAG
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 10 FLAG
Sep  8 11:40:01 01[ENC]    => 1
Sep  8 11:40:01 01[ENC]   parsing rule 11 FLAG
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 12 FLAG
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 13 FLAG
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 14 U_INT_32
Sep  8 11:40:01 01[ENC]    => 0
Sep  8 11:40:01 01[ENC]   parsing rule 15 HEADER_LENGTH
Sep  8 11:40:01 01[ENC]    => 337
Sep  8 11:40:01 01[ENC] parsing HEADER payload finished
Sep  8 11:40:01 01[ENC] header verification failed

Sep  8 11:40:01 01[NET] received invalid IKE header from 2001:db8:f:1::1 
- ignored

Sep  8 11:40:01 01[NET] waiting for data on sockets

Does it mean it received a corrupt IKE_SA_INIT from the initiator?

Is there any configuration to be enabled to receive the 
INVALID-MAJOR-VERSION package?



Regards,
Kumuda G

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to