Gateway parse error

[foxxyben]

I'm trying to get this all setup and am about 90% of the way. I can successfully get everything working and a port to open using the following command:

fwknop --verbose --sdp-id 55556 -A tcp/80 -a 10.103.200.253 -D 10.101.110.15 --use-hmac --key-base64-rijndael XXXXXX --key-base64-hmac XXXXXX

Logs show the firewall opens and everything is good. Problem is when I try to specify a service ID instead of protocol/port. Here is the command I am using to send the SPA packet:

fwknop --verbose --sdp-id 55556 --services 1006 -a 10.103.200.253 -D 10.101.110.15 --use-hmac --key-base64-rijndael XXXXXX --key-base64-hmac XXXXXX

Unfortunately, the gateway is having trouble with the packet:

fwknopd[2490]: [*] Parse error on access port entry: 1006

If I change the service ID to some arbitrary number that does not exist, I get a repsonse that I would expect since the service:

fwknopd[2490]: Did not find service hash table node for service id 100 fwknopd[2490]: Issues with requested services.

Hoping I'm missing a simple configuration somewhere.

[hydrolucid]

Hi, wanted to let you know I am currently looking into your issue. In the meantime, I wanted to point out a couple important items. I'm not sure when you pulled the code, but I committed a crucial bug fix on April 3. Also, I committed an instruction document 3 days ago, held in the top level directory. This may help get to the bottom of the issue if it happens to be a configuration problem. I'll let you know what I find from my investigation ASAP. Thanks.

[foxxyben]

Thanks for the update. I did see the instruction document. It was very helpful in getting the last steps completed!! I've also check the dates for when I pulled down the repo and it looks like April 10, so should have the fix in place. Let me know if there is anything else I can provide.

[hydrolucid]

Glad to hear you have a more recent version. I tried using the exact mix of options you used on the client and that worked, so I ruled out one possible issue. The error that you reported would SEEM to indicate that the server is trying to parse the SPA's request as if 1006 was a protocol/port string, not a service id. When you execute the client command with the verbose option, it should print out a line regarding the message type, which should look like this: Message Type: 1 (Service access msg) Let me know if that's the case.

[foxxyben]

Looks like that is all working. Here is the full output of the command (with some pieces truncated):

fwknop --verbose --sdp-id 55556 --services 1006 -a 192.168.193.21 -D 10.101.110.15 --use-hmac --key-base64-rijndael XXXXXXXX --key-base64-hmac XXXXXXXX SPA Field Values: ================= Random Value: 5815598059301653 SDP Client ID: 55556 Username: root Timestamp: 1492803424 FKO Version: 2.0.2 Message Type: 1 (Service access msg) Message String: 192.168.193.21,1006 Nat Access: <NULL> Server Auth: <NULL> Client Timeout: 0 Digest Type: 3 (SHA256) HMAC Type: 3 (SHA256) Encryption Type: 1 (Rijndael) Encryption Mode: 2 (CBC) Disable SDP Mode: 0 (SDP Mode Enabled) Encoded SDP ID: BNkAAA Encoded Data: XXXXXXX SPA Data Digest: XXXXXXXX HMAC: XXXXXXXX Final SPA Data: XXXXXXXX

Generating SPA packet: protocol: udp source port: <OS assigned> destination port: 62201 IP/host: 10.101.110.15 send_spa_packet: bytes sent: 210

For what it's worth, I have everything running on a CentOS 7 server. One other item that might be helpful is that I built RPMs using the .spec file (attached). I added two lines at the end, but the result was a clean build. fwknop.spec.txt

[hydrolucid]

No problems jump out at me. We haven't recently tested on CentOS though we have in the past without issue. On the server side, if you execute with the verbose option, you'll get the same type of printout with all of the properties of the received SPA message. Running in verbose mode creates a lot of endless printing so you may want to redirect to a text file (or use the system log) and just search for something like "incoming_spa()" or "SPA Packet from IP". A little below that should be the SPA message data. Let me know if that too has the message type "1 (Service access msg)".

[foxxyben]

Here's the gateway side output. I also went ahead and reinstalled directly from source using the same config files. Results are the same

incoming_spa() : just arrived, stay tuned (stanza #0) SPA Packet from IP: 10.101.110.10 received with access source match SPA Packet: 'XXXXXXXX' [10.101.110.10] (stanza #0) SPA Decode (res=0): SPA Field Values: ================= Random Value: 1282577798806796 SDP Client ID: 55556 Username: <NULL> Timestamp: 1492806394 FKO Version: <NULL> Message Type: 1 (Service access msg) Message String: 192.168.193.21,1006 Nat Access: <NULL> Server Auth: <NULL> Client Timeout: 0 Digest Type: 3 (SHA256) HMAC Type: 3 (SHA256) Encryption Type: 1 (Rijndael) Encryption Mode: 2 (CBC) Disable SDP Mode: 0 (SDP Mode Enabled) Encoded SDP ID: BNkAAA Encoded Data: XXXXXXXX SPA Data Digest: XXXXXXXX HMAC: XXXXXXXX Final SPA Data: XXXXXXXX

[*] Parse error on access port entry: 1006 check_conntrack() Getting latest connections...

Looking through config files, I don't see anything out of place. I've gone ahead and attached my gateway configs just in case they are helpful. access.conf.txt fwknopd.conf.txt gate.fwknoprc.txt gate_sdp_ctrl_client.conf.txt

[hydrolucid]

I certainly appreciate your patience as we try to figure out the issue.

A couple questions:

What firewall program are you using on the gateway? Everything implemented for SDP is currently only functional with iptables. If it's a different firewall, this would definitely cause the trouble you're seeing.

Probably not related but is the requested service (or any other service) running on a separate machine behind the gateway? I noticed that you do not have forwarding enabled on the gateway.

Can you send me a more complete server log file of the failed run? There are a couple warning messages that may be printed after that error message, depending on the issue, that may give further clues.

[foxxyben]

Thanks a ton for following up on this. There's no immediate rush!

I'm currently using firewalld as the firewall. I didn't think would be an issue since the vanilla fwknop works just fine with firewalld and sending a spa in legacy also works just fine. I will try setting up iptables in it's place to see what happens.

The service is just a simple http web page on the same server as the gateway with no forwarding required.

If all else fails, I was planning to also set up an Ubuntu server as the gateway in the next couple days to see if I can get things running any smoother.

[hydrolucid]

firewalld is definitely the problem. None of the newer SDP features are supported with other firewalls as of yet. As a side note, tracing the issue you were describing led to me discovering an unrelated bug for which I pushed a fix a few moments ago. So it's a win-win for me.

[foxxyben]

I think that last commit did it. I went ahead and rebuilt the server package for CentOS with the update and all is now working. Also worth mentioning, I did not have to move to iptables as everything IS working with firewalld!! I know this might have implication later, but definitely enough to show my lab setup to the bosses!

Thanks again for your help on this!!