Page MenuHomeVyOS Platform
Create Task
Maniphest T3830

ipsec: remote-id no longer included in IKE AUTH if not explicitly specified
Closed, ResolvedPublicBUG
Actions

Description

I found another subtle behavior change between the new swanctl setup in sagitta and the older ipsec.conf setup in equuleus. This prevents sagitta clients from initiating ipsec connections to equuleus hosts that are behind NAT (in my test setup, AWS elastic IP 1:1 NAT).

The test configuration is a hub-spoke VPN setup.

Hub: AWS host at 52.xx.xx.xx (private IP is 172.16.5.5), running very old equuleus rolling release (VyOS 1.3-rolling-202010090449—I am still working on getting newer releases to boot on AWS)
Spoke A: 108.xx.xx.xx, running equuleus (VyOS 1.3-rolling-202101052023)
Spoke B : 98.xx.xx.xx, running sagitta (VyOS 1.4-rolling-202109140217)

The hosts connect and authenticate using pre-shared keys. When spoke hosts connect to the hubs, they usually negotiate NAT-T due to the fact AWS always does 1:1 NAT with the public IPs assigned to EC2 hosts.

When the sagitta router restarts, or the ipsec process restarts, it fails to establish a tunnel to the hub router, receiving a failure message in its log:

Sep 15 05:37:31 lcn-router charon: 05[ENC] <peer_52-xx-xx-xx|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 15 05:37:31 lcn-router charon: 05[IKE] <peer_52-xx-xx-xx|1> received AUTHENTICATION_FAILED notify error

Because both routers are set to try to initiate, restarting ipsec on the hub router causes it to try to initiate a connection which succeeds without issue.

The equuleus router has no issue establishing a connection in either direction.

In further log analysis, I found the IKE_AUTH messages generated by the spokes running sagitta and equuleus differ slightly:

sagitta:  generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
equuleus: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

It appears under the old ipsec.conf setup used by equuleus, the IKE daemon sends a remote ID attribute equal to the configured IP of the site-to-site peer automatically, even when one is not explicitly configured using authentication remote-id in the configuration.

Sagitta does not send the remote ID attribute unless I explicitly configure it in the configuration. (Adding set authentication remote-id 52.xx.xx.xx to my config fixed the issue and the connection established reliably).

This may be a fairly quirky use case since the AWS host has to contend to that 1:1 NAT which required some fiddling with the configuration to get the ipsec daemon to understand the IP in auth requests may be different from the IP it listens on (open to advice if there is a better way to configure this). However, there is clearly a subtle behavior change in sagitta we may want to paper over in some way (either via migration or changing how we render swanctl.conf). My understanding of the IKE RFCs is not robust enough to know exactly what the right behavior here should be.

Hub config:

esp-group VyOS-HS {
    compression disable
    lifetime 3600
    mode tunnel
    pfs enable
    proposal 1 {
        encryption aes256
        hash sha256
    }
}
ike-group VyOS-HS {
    close-action none
    dead-peer-detection {
        action clear
        interval 15
        timeout 30
    }
    ikev2-reauth no
    key-exchange ikev2
    lifetime 28800
    proposal 1 {
        dh-group 21
        encryption aes256
        hash sha256
    }
}
...
site-to-site {
    peer 98.xx.xx.xx {
        authentication {
            id 52.xx.xx.xx
            mode pre-shared-secret
            pre-shared-secret REDACTED
        }
        connection-type initiate
        ike-group VyOS-HS
        ikev2-reauth inherit
        local-address 172.16.5.5
        vti {
            bind vti0
            esp-group VyOS-HS
        }
    }
    peer 108.xx.xx.xx {
        authentication {
            id 52.xx.xx.xx
            mode pre-shared-secret
            pre-shared-secret REDACTED
        }
        connection-type initiate
        ike-group VyOS-HS
        ikev2-reauth inherit
        local-address 172.16.5.5
        vti {
            bind vti1
            esp-group VyOS-HS
        }
    }
}

Spoke config (from sagitta router, other spoke config is identical except for change in local-address):

esp-group VyOS-HS {
    compression disable
    lifetime 3600
    mode tunnel
    pfs enable
    proposal 1 {
        encryption aes256
        hash sha256
    }
}
ike-group VyOS-HS {
    close-action restart
    dead-peer-detection {
        action restart
        interval 15
        timeout 30
    }
    ikev2-reauth no
    key-exchange ikev2
    lifetime 28800
    proposal 1 {
        dh-group 21
        encryption aes256
        hash sha256
    }
}
site-to-site {
    peer 52.xx.xx.xx {
        authentication {
            mode pre-shared-secret
            pre-shared-secret REDACTED
        }
        connection-type initiate
        ike-group VyOS-HS
        ikev2-reauth inherit
        local-address 98.xx.xx.xx
        vti {
            bind vti2
            esp-group VyOS-HS
        }
    }
 }

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202109140217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

lucasec assigned this task to c-po.Sep 15 2021, 5:57 AM
lucasec created this task.
pasik added a subscriber: pasik.Sep 15 2021, 6:53 AM
c-po added a comment.Sep 15 2021, 5:37 PM

From https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection (1.3 behavior)

left|rightid = <id>

how the left|right participant should be identified for authentication; defaults to left|right or the subject of the
certificate configured with left|rightcert. If left|rightcert is configured the identity has to be confirmed by the
certificate, that is, it has to match the full subject DN or one of the subjectAltName extensions contained in the
certificate.

From https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf (1.4 behavior)

connections.<conn>.remote<suffix>.id	%any

IKE identity to expect for authentication round. Refer to the local section's id keyword for details. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.
It's possible to use wildcards to match remote identities (e.g. *@strongswan.org, *.strongswan.org, or C=CH, O=strongSwan, CN=*). Connections with exact matches are preferred. When using distinguished names with wildcards, the charon.rdn_matching option in strongswan.conf specifies how RDNs are matched.
connections.<conn>.local<suffix>.id	
IKE identity to use for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName (the identity will default to the certificate's subject DN if not specified). Refer to IdentityParsing for details on how identities are parsed and may be configured.
c-po changed the task status from Open to Needs testing.Sep 15 2021, 5:41 PM
lucasec added a comment.Sep 17 2021, 4:01 AM

Tested on latest build VyOS 1.4-rolling-202109160217 and confirmed it is adding the remote id attribute by default as expected. Connections establish without issue.

c-po added a comment.Sep 17 2021, 6:56 PM

Thank you for testing!

c-po closed this task as Resolved.Sep 17 2021, 6:56 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Sep 19 2021, 7:04 AM