Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Responder might select incorrect child config when using transport mode #1143

Closed
tobiasbrunner opened this issue Jul 14, 2022 Discussed in #1129 · 1 comment
Closed

Responder might select incorrect child config when using transport mode #1143

tobiasbrunner opened this issue Jul 14, 2022 Discussed in #1129 · 1 comment
Labels
bug
Milestone
5.9.7

Comments

@tobiasbrunner
Copy link
Member

Discussed in #1129

Originally posted by yizhao1 July 8, 2022
I have a question about the traffic selector. In my environment, I found the IPsec does not work for remote communication of the second traffic selector on the responder. But it works when the traffic selector is set to the first.
...
There are 2 hosts: Host A (192.168.0.105) and Host B (192.168.0.109)

If Host B is in the second traffic selector (child_2) in swanctl.conf on Host A. I can not ping Host A from Host B. But I can ping Host B from Host A. After this, I can ping Host A from Host B. There is no such issue if Host B is in the first traffic selector (child_1).

...

looking for a child config for 192.168.0.105/32[udp/1025] 192.168.0.105/32 === 192.168.0.109/32[udp/56269] 192.168.0.109/32
proposing traffic selectors for us:
192.168.0.105/32
proposing traffic selectors for other:
192.168.0.109/32
candidate "child_1" with prio 7+7
proposing traffic selectors for us:
192.168.0.105/32
proposing traffic selectors for other:
192.168.0.109/32
candidate "child_2" with prio 7+7
found matching child config "child_1" with prio 14
...
selecting traffic selectors for us:
config: 192.168.0.105/32, received: 192.168.0.105/32[udp/1025] => match: 192.168.0.105/32[udp/1025]
config: 192.168.0.105/32, received: 192.168.0.105/32 => match: 192.168.0.105/32
selecting traffic selectors for other:
config: 192.168.0.100/32, received: 192.168.0.109/32[udp/56269] => no match
config: 192.168.0.100/32, received: 192.168.0.109/32 => no match
no acceptable traffic selectors found

Seems this is introduced by commit:
da82786
@tobiasbrunner tobiasbrunner added this to the 5.9.7 milestone Jul 14, 2022
@tobiasbrunner
Copy link
Member Author

tobiasbrunner commented Jul 14, 2022
edited

The mentioned commit replaces non-dynamic traffic selectors for transport mode configs. In particular for wildcard trap policies (we don't want to propose subnets for these transport mode SAs but TS narrowed to the actual IP that triggered the acquire). The problem is that the get_traffic_selectors() method is also called with the same parameters (no supplied TS but hosts) when selecting child configs as responder. Replacing IPs for all configs there isn't a good idea as we might select one for which narrowing will later fail (when narrowing, we don't replace non-dynamic TS).

The proposed fix in the 1143-transport-ts branch avoids the above issue by ignoring TS that don't include the given IP. So in the above scenario, child_1 would only get 7 as prio as there won't be a remote TS, so child_2 would get selected.

@mathiasaerts mathiasaerts mentioned this issue Jan 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
5.9.7
Development

No branches or pull requests
1 participant
@tobiasbrunner