From dea158f2fc4bc94686f3fa7918c3a0ccc0b3b41c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 11 Feb 2015 15:15:47 +0100 Subject: [PATCH] strongswan: Create configuration for better interoperability Also import some upstream fixes for connection stability. --- config/strongswan/charon.conf | 302 ++++++++++++++++++ lfs/strongswan | 6 + src/patches/strongswan-5.2.2-issue-816.patch | 13 + .../strongswan-5.2.2-issue-819-cd2c30a.patch | 50 +++ 4 files changed, 371 insertions(+) create mode 100644 config/strongswan/charon.conf create mode 100644 src/patches/strongswan-5.2.2-issue-816.patch create mode 100644 src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch diff --git a/config/strongswan/charon.conf b/config/strongswan/charon.conf new file mode 100644 index 0000000000..a5ff0bee51 --- /dev/null +++ b/config/strongswan/charon.conf @@ -0,0 +1,302 @@ +# Options for the charon IKE daemon. +charon { + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + accept_unencrypted_mainmode_messages = yes + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + cisco_unity = yes + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for + # address family specific default values). If specified this limit is + # used for both IPv4 and IPv6. + # fragment_size = 0 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + ikesa_table_segments = 4 + + # Size of the IKE_SA hash table. + ikesa_table_size = 32 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + init_limit_half_open = 1000 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + # install_routes = yes + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # By default public IPv6 addresses are preferred over temporary ones (RFC + # 4941), to make connections more stable. Enable this option to reverse + # this. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS + # resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs. + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/lfs/strongswan b/lfs/strongswan index b2be4c19ab..ff97ab8857 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch + cd $(DIR_APP) && patch -Np1 --ignore-whitespace \ + -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh cd $(DIR_APP) && ./configure \ @@ -116,5 +119,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls + install -v -m 644 $(DIR_SRC)/config/strongswan/charon.conf \ + /etc/strongswan.d/charon.conf + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/patches/strongswan-5.2.2-issue-816.patch b/src/patches/strongswan-5.2.2-issue-816.patch new file mode 100644 index 0000000000..d9dfc8ad31 --- /dev/null +++ b/src/patches/strongswan-5.2.2-issue-816.patch @@ -0,0 +1,13 @@ +diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/t +index e9a677a655e4..69118abe78df 100644 +--- a/src/libcharon/sa/ikev2/task_manager_v2.c ++++ b/src/libcharon/sa/ikev2/task_manager_v2.c +@@ -1339,7 +1339,7 @@ METHOD(task_manager_t, process_message, status_t, + { + DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored", + mid, this->responding.mid); +- if (msg->get_exchange_type(msg) == IKE_SA_INIT) ++ if (mid != 0 && msg->get_exchange_type(msg) == IKE_SA_INIT) + { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */ + return DESTROY_ME; + } diff --git a/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch b/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch new file mode 100644 index 0000000000..0c54812fe3 --- /dev/null +++ b/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch @@ -0,0 +1,50 @@ +From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 10 Feb 2015 19:03:44 +0100 +Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT + notification payloads + +The payload we sent before is not compliant with RFC 2407 and thus some +peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error). + + #819 +--- + src/libcharon/sa/ikev1/tasks/main_mode.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c +index 5065e70..3ea4a2a 100644 +--- a/src/libcharon/sa/ikev1/tasks/main_mode.c ++++ b/src/libcharon/sa/ikev1/tasks/main_mode.c +@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, + { + identification_t *idr; + host_t *host; ++ notify_payload_t *notify; ++ ike_sa_id_t *ike_sa_id; ++ u_int64_t spi_i, spi_r; ++ chunk_t spi; + + idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE); + if (idr && !idr->contains_wildcards(idr)) +@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message, + if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, + idi, idr, host->get_family(host))) + { +- message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1, +- chunk_empty); ++ notify = notify_payload_create_from_protocol_and_type( ++ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1); ++ ike_sa_id = this->ike_sa->get_id(this->ike_sa); ++ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id); ++ spi_r = ike_sa_id->get_responder_spi(ike_sa_id); ++ spi = chunk_cata("cc", chunk_from_thing(spi_i), ++ chunk_from_thing(spi_r)); ++ notify->set_spi_data(notify, spi); ++ message->add_payload(message, (payload_t*)notify); + } + } + } +-- +1.7.9.5 + -- 2.39.2