[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: something broken in isakmpd since 3.5



On Fri, 18 Jun 2004, Alexandre wrote:
> Yes main mode works correctly but unfortunately the peers have dynamic ips.

MainMode works fine with dynamic IP peers.
Just use the '[Phase 1]:Default= anyremote' syntax. See isakmpd.conf(5).

> I guess my only options are to get fixed IPs or replace the peers (these
> are netopia routers btw)

Well, it turns out RFCs 2408 (ISAKMP) and 2409 (IKE) say different things
for the last message of AggressiveMode. One say to encrypt, the other says
to permit as cleartext.

Since the final AM message basically just contains a signature, there is
as far as I can see no strong need for this particular message to be
encrypted. Since atleast this vendor (and maybe some others) do not, we
should permit this.

Here's a patch (in two versions) that we would appreciate if you could
test for us.

If you are patching the source for 3.5-RELEASE or -STABLE, use this:

Index: sbin/isakmpd/message.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/message.c,v
retrieving revision 1.69.2.2
diff -u -r1.69.2.2 message.c
--- sbin/isakmpd/message.c	11 Jun 2004 02:34:56 -0000	1.69.2.2
+++ sbin/isakmpd/message.c	18 Jun 2004 14:25:35 -0000
@@ -1405,9 +1405,14 @@
       && (flags & ISAKMP_FLAGS_COMMIT))
     msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED;

-  /* Require encryption as soon as we have the keystate for it.  */
+  /*
+   * Except for the 3rd message of aggressive more, require encryption
+   * as soon as we have the keystate for it.r
+   */
   if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
-      (msg->exchange->phase == 2 || msg->exchange->keystate))
+      (msg->exchange->phase == 2 ||
+       (msg->exchange->keystate &&
+	msg->exchange->type != ISAKMP_EXCH_AGGRESSIVE)))
     {
       log_print ("message_recv: cleartext phase %d message",
 		 msg->exchange->phase);


otherwise for -current, use:

Index: sbin/isakmpd/message.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/message.c,v
retrieving revision 1.79
diff -u -r1.79 message.c
--- sbin/isakmpd/message.c	14 Jun 2004 10:04:22 -0000	1.79
+++ sbin/isakmpd/message.c	18 Jun 2004 14:19:48 -0000
@@ -1368,9 +1368,14 @@
 	    && (flags & ISAKMP_FLAGS_COMMIT))
 		msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED;

-	/* Require encryption as soon as we have the keystate for it.  */
+	/*
+	 * Except for the 3rd message of aggressive mode, require encryption
+	 * as soon as we have the keystate for it.
+	 */
 	if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
-	    (msg->exchange->phase == 2 || msg->exchange->keystate)) {
+	    (msg->exchange->phase == 2 ||
+		(msg->exchange->keystate &&
+		 msg->exchange->type != ISAKMP_EXCH_AGGRESSIVE))) {
 		log_print("message_recv: cleartext phase %d message",
 		    msg->exchange->phase);
 		message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);

(The patches should only differ in indentation.)

Thanks,
  Håkan