CREATE CHILD SA request IPSEC

FgfTk commented 7 months ago

I am testing against the Amarisoft solution. I identified the following problem in generate_keyring_material_child(reverse=true).

Traceback (most recent call last): File "nwu_emulator.py", line 5406, in main() File "nwu_emulator.py", line 5401, in main a.start_ike() File "nwu_emulator.py", line 4603, in start_ike if self.interface_type == NWU: self.start_ike_nwu() File "nwu_emulator.py", line 4677, in start_ike_nwu self.state_connected_nwu()
File "nwu_emulator.py", line 4429, in state_connected_nwu self.state_n3iwf_create_sa_child_nwu()
File "nwu_emulator.py", line 4553, in state_n3iwf_create_sa_child_nwu self.generate_keying_material_child(reverse=True)
File "nwu_emulator.py", line 2554, in generate_keying_material_child KEY_LENGHT_TOTAL = 2AUTH_KEY_SIZE + 2ENCR_KEY_SIZE TypeError: unsupported operand type(s) for *: 'int' and 'NoneType'

The calculated AUTH_KEY_SIZE is None instead of int.

I think the error happend somehow here: AUTH_KEY_SIZE = self.integ_key_len_bytes.get(self.negotiated_integrity_algorithm_child)

Any suggestions?

fasferraz commented 7 months ago

It could be related to something missing in the previous message. Can you paste here all out putplease?

FgfTk commented 7 months ago

Hi this is the previous message received:

_Header: IKE SA initiator's SPI: 0x9857687DF9B8D88A IKE SA responder's SPI: 0x4371505BCC240A1E Next Payload: 46 (Encrypted and Authenticated) Major version: 2 Minor version: 0 Exchange type: 4 Flags: 0 () Message id: 0 Length: 460 Payload: Encrypted and authenticated Next Payload: Notify Reserved: 0x00 Payload length: 432 Payload data: 0000000000000000000000000000000548db650b8e5c9be44c9a5b33fe1f9c32e19b88fd26f53fcad35c9cde8dec87362b9fec8b44de92e3cf36b4a263e92ce9b7aae6c1432e6b7654c7a292afcf06a5c17a17bc9ffc2522c90a1da3a975b61c16abb4ed4cb260a88430bc073210f710dd7ceeadefa82c2ddc7fe0a1ec10cf3a0cce237c85d30f3a4bd4d05a24f3515e71b89d9c4b49fa1e8bc3d9ea9ead5e609c9cd1573f8e49c54d1ed0ed5968abac1458427cace99a0b58eb6095c1f06b21e4eadb7cead6253233fe86c9e3b032e754560f37fdb4c67ab94b15fe3dd30eea94ebe78c812262a9ad52df6ec26826b9e0ccc6862c7409a15273ed5aa33b1ed2743fa0cdb0663101a9b8a738c6736df798281fe77177f8f7bc70a91f369c4e82693fa6cc7942574bd7d445449f432f0d83aa45ae424e835294def022234685ae8b2e1f4d8bd1850deb1851925fc25b69da7c73425f8f5f1884333b330e7e605d93e195cd602dc7f00526436e0c98caf8ab08f1d4162628578536c87648bb703327ec46e996288e2d90045b29851757631d80821a046b50e303ff53ba65bc3af0aee917367049bdcee55dc510 Payload: Notify Next Payload: Notify Reserved: 0x00 Payload length: 13 Protocol ID: RESERVED SPI Size: 0 Notify Message Type: 5G_QOS_INFO (55501) Notification Data: 0401010100 Payload: Notify Next Payload: Security Association Reserved: 0x00 Payload length: 12 Protocol ID: RESERVED SPI Size: 0 Notify Message Type: UP_IP4_ADDRESS (55504) Notification Data: c0a80b02 Payload: Security association Next Payload: Nonce Reserved: 0x00 Payload length: 288 Proposal: Last substructure: 0 (Last) Reserved: 0x00 Proposal length: 284 Proposal number: 1 Protocol id: 3 (ESP) SPI size: 4 Num transforms: 31 SPI: 0x8FB057D1 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 11 (ENCR_NULL) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 12 (ENCR_AES_CBC) Attribute type: 14 (Key length) Attribute value: 0080 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 12 (ENCR_AES_CBC) Attribute type: 14 (Key length) Attribute value: 00c0 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 12 (ENCR_AES_CBC) Attribute type: 14 (Key length) Attribute value: 0100 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 2 (ENCR_DES) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 3 (ENCR_3DES) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 7 (ENCR_BLOWFISH) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 13 (ENCR_AES_CTR) Attribute type: 14 (Key length) Attribute value: 0080 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 13 (ENCR_AES_CTR) Attribute type: 14 (Key length) Attribute value: 00c0 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 12 Transform type: 1 (ENCR) Reserved: 0x00 Transform id: 13 (ENCR_AES_CTR) Attribute type: 14 (Key length) Attribute value: 0100 Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 0 (AUTH_NONE) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 2 (AUTH_HMAC_SHA1_96) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 7 (AUTH_HMAC_SHA1_160) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 12 (AUTH_HMAC_SHA2_256_128) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 13 (AUTH_HMAC_SHA2_384_192) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 14 (AUTH_HMAC_SHA2_512_256) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 1 (AUTH_HMAC_MD5_96) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 6 (AUTH_HMAC_MD5_128) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 3 (INTEG) Reserved: 0x00 Transform id: 5 (AUTH_AES_CMAC_96) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 0 (DH_NONE) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 5 (DH_GROUP_5) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 14 (DH_GROUP_14) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 15 (DH_GROUP_15) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 16 (DH_GROUP_16) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 17 (DH_GROUP_17) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 18 (DH_GROUP_18) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 19 (DH_GROUP_19) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 22 (DH_GROUP_22) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 23 (DH_GROUP_23) Payload: Transform Last substructure: 3 (More) Reserved: 0x00 Transform length: 8 Transform type: 4 (D-H) Reserved: 0x00 Transform id: 24 (DH_GROUP_24) Payload: Transform Last substructure: 0 (Last) Reserved: 0x00 Transform length: 8 Transform type: 5 (ESN) Reserved: 0x00 Transform id: 0 (No ESNs) Payload: Nonce Next Payload: Traffic Selector - Initiator Reserved: 0x00 Payload length: 36 Payload data: a22deb2fc8498166947b65760a557aedbdccd8835c5900bdb840ff6a28c04b88 Payload: Traffic Selector - Initiator Next Payload: Traffic Selector - Responder Reserved: 0x00 Payload length: 24 Number of TSs: 1 TS Type: TS_IPV4_ADDR_RANGE IP Protocol ID: Not relevant (0) Start Port: 0 End Port: 65535 Starting Address: 0.0.0.0 Ending Address: 255.255.255.255 Payload: Traffic Selector - Responder Next Payload: No Next Payload Reserved: 0x00 Payload length: 24 Number of TSs: 1 TS Type: TS_IPV4_ADDRRANGE IP Protocol ID: Not relevant (0) Start Port: 0 End Port: 65535 Starting Address: 192.168.10.2 Ending Address: 192.168.10.2

fasferraz commented 7 months ago

Hi, I had this issue before with someone also using Amarisoft. So there is a solution :) This was a message I exchanged with him:

IKE RFC allows multiple Transforms of the same type within one proposal (that is a logical OR meaning the other side can choose whatever Transform of the list they want).

The problem is that my app is not prepared for that, because usually each proposal has only one Transform of each type (one ENCR, one INTEG, etc...), and the emulator usually accepts proposal number 1 and answers back with that same exact proposal.

So the error is happening in the ESP, so I would suggest you to change ESP parameters so that each parameter has only one setting:

esp_encryption_algo_list: "aes-cbc-128" (AES CBC 128 bits key length)

esp_integrity_algo_list: "hmac-sha-1-96"

esp_dh_group_list: "none"

Can you try?

fasferraz / NWu-Non3GPP-5GC

CREATE CHILD SA request IPSEC #9