vpp icon indicating copy to clipboard operation
vpp copied to clipboard
verified publisher icon FDio

esp=<cipher suites> configration not working as expected. #2449

Open antonymsouza opened this issue 1 year ago • 0 comments

Software used: Strongswan 5.9.6, VPP 23.10 + DPDK

First Scenario: Initiator: esp=aes256-aes192-aes128-sha256-modp3072-modp2048-ecp256 Reponder: esp=aes256-sha256-ecp256

I am getting core dump as shown below. Detailed core dump added to next message

Sep 13 18:12:11 security-gw4 charon-systemd[139949]: parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ Sep 13 18:12:11 security-gw4 charon-systemd[139949]: DH group MODP_3072 unacceptable, requesting ECP_256 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: SA not found Sep 13 18:12:11 security-gw4 charon-systemd[139949]: thread 7 received 11 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses:

If I use the proposal like: Initiator: esp=aes256-aes192-aes128-sha256-ecp256-modp3072-modp2048 Reponder: esp=aes256-sha256-ecp256 Then it works fine. Very strange.

In IKE proposal there is no issue, we can give any order of pfs ciphers in the proposal, and the responder pick the relevant matches and establish tunnel successfully. Initiator: "aes128-aes192-aes256-sha256-modp2048-modp3072-ecp256" Responder: aes256-sha256-ecp256 It works fine

Core Dump: Here is the core dump sequence: Sep 13 18:12:11 security-gw4 charon-systemd[139949]: parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ Sep 13 18:12:11 security-gw4 charon-systemd[139949]: DH group MODP_3072 unacceptable, requesting ECP_256 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: SA not found Sep 13 18:12:11 security-gw4 charon-systemd[139949]: thread 7 received 11 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses: Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234732520] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4) Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4) Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[LIB] -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: dumping 12 stack frame addresses: Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234732520] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libvlibapi.so.23.10.0 @ 0x7fa234299000 (vl_msg_api_free+0x18) [0x7fa2342a4658] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/plugins/libstrongswan-kernel-vpp.so @ 0x7fa23434d000 [0x7fa2343509ee] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /root/vpp_sswan/extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c:1834 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a23742] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/child_sa.c:1923 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a3d888] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/tasks/child_create.c:2060 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a38d7b] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ikev2/task_manager_v2.c:904 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a25e50] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/sa/ike_sa.c:1647 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libcharon.so.0 @ 0x7fa2349f1000 [0x7fa234a1e987] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libcharon/processing/jobs/process_message_job.c:74 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ace879] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/processing/processor.c:262 Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /usr/lib/ipsec/libstrongswan.so.0 @ 0x7fa234a8f000 [0x7fa234ae22a8] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> /home/ubuntu/vpp_sswan/build-root/build-vpp-native/external/sswan/src/libstrongswan/threading/thread.c:332 (discriminator 4) Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234784ac3] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: /lib/x86_64-linux-gnu/libc.so.6 @ 0x7fa2346f0000 [0x7fa234816850] Sep 13 18:12:11 security-gw4 charon-systemd[139949]: -> ??:? Sep 13 18:12:11 security-gw4 charon-systemd[139949]: 07[DMN] killing ourself, received critical signal Sep 13 18:12:11 security-gw4 charon-systemd[139949]: killing ourself, received critical signal Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Main process exited, code=killed, status=6/ABRT Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Failed with result 'signal'. Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Consumed 1.569s CPU time. Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Scheduled restart job, restart counter is at 3. Sep 13 18:12:12 security-gw4 systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. Sep 13 18:12:12 security-gw4 systemd[1]: strongswan.service: Consumed 1.569s CPU time. Sep 13 18:12:12 security-gw4 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...

antonymsouza avatar Sep 16 '24 12:09 antonymsouza