Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overlapping reqid allocated for old- and newstyle IPsec (also overlapping with automatic allocation) #7416

Open
2 tasks done
cluck opened this issue Apr 26, 2024 · 1 comment
Open
2 tasks done

Overlapping reqid allocated for old- and newstyle IPsec (also overlapping with automatic allocation) #7416

cluck opened this issue Apr 26, 2024 · 1 comment
Labels
support Community support

Comments

@cluck
Copy link

cluck commented Apr 26, 2024
edited

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

When configuring both newstyle IPsec connections and oldstyle IPsec tunnel settings, independent connections are allocated identical reqid (in /usr/local/etc/swanctl/swanctl.conf).

  • The newstyle connections have no explicit reqid set, thus implicit reqids are allocated, starting from 1 by default.
  • The oldstyle connections have explicit reqid configured, allocated from 1 upwards.

To Reproduce

Use two OPNsense instances and create one oldstyle and one newstyle VPN between them.
See attached configuration snippets to import for convenience.

Output of established connections:

$ swanctl -l
Connections:
e43911c7-c8a2-41ab-b406-79225d8fe9f4: #5, ESTABLISHED, IKEv2, 1dbe47c51a97041c_i d075581a7ecaff17_r*
  local  'host16' @ 192.0.2.16[4500]
  remote 'host17' @ 192.0.2.17[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
  established 3s ago, rekeying in 13983s
  c58ea3fd-3edb-4430-9f09-88d0f2e376be: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128
--------------------------------------------^
    installed 3s ago, rekeying in 3332s, expires in 3957s
    in  cd80c5e3,      0 bytes,     0 packets
    out c7f99c1a,      0 bytes,     0 packets
    local  10.16.2.0/24
    remote 10.17.2.0/24
con1: #4, ESTABLISHED, IKEv2, 732c13f6fef7410a_i 2e2ac7c468c7d55a_r*
  local  '192.0.2.16' @ 192.0.2.16[4500]
  remote '192.0.2.17' @ 192.0.2.17[4500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
  established 3s ago, rekeying in 14069s
  con1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
------------^
    installed 3s ago, rekeying in 3374s, expires in 3957s
    in  c608c8ae,      0 bytes,     0 packets
    out cd0f736a,      0 bytes,     0 packets
    local  10.16.1.0/24
    remote 10.17.1.0/24

Expected behavior

I would expect explicit reqid allocation to not collide with implicit allocation.
I would also expect oldstyle and newstyle IPsec to now have colliding reqid.

Workaround

As a workaround, which works around both issues, I set charon.reqid_base in a custom configuration snippet:

$ cat /usr/local/etc/strongswan.opnsense.d/fix-reqid.conf
charon {
    reqid_base = 8192
}

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.1.6-amd64
@cluck
Copy link
Author

cluck commented Apr 26, 2024

Similar reported issues:

This needs improvement as it won't be noticed by operators of the GUI:
opnsense/docs@dab8d00

@AdSchellevis AdSchellevis added the support Community support label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cluck @AdSchellevis