Open miolad opened 2 years ago
@miolad Sorry to hijack your thread. I am trying to crosscompiled StrongSwan for Windows 10, but see the following errors when launching charon-svc.exe. Looks like you got further than me , so I am wondering what was your steps and parameters for building Windows StrongSwan.
It will be greatly appreciated if you can provide some suggestions on my discussion post (https://github.com/strongswan/strongswan/discussions/1204)
C:\strongswan\dist_3\usr\local\bin>charon-svc.exe 00[DMN] Starting IKE service charon-svc (strongSwan 5.9.7, Windows Client 6.2.9200 (SP 0.0) 00[KNL] registering WFP provider failed: 0x00000005 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: CUSTOM:socket 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: CUSTOM:libcharon-receiver 00[LIB] failed to load 2 critical plugin features
Thanks in advance!
Responder:
- OS: Debian 11.2
- Kernel version: 5.10
- strongSwan version: 5.9.4
Initiator:
- OS: Windows 11 21H2 22000.376
- strongSwan version: crosscompiled 5.9.4 (applied this patch)
- reproducible on latest version: yes
Describe the bug Trap policies installed by kernel-wfp on Windows initiators apparently have higher priority than IPsec filters, thus they get triggered even after the installation of the main IPsec filters. This means that communication over the secure channel cannot happen as all packets get dropped by the trap filter.
Note that this is not a new bug.
To Reproduce Steps to reproduce the behavior:
- Setup Windows initiator with
start_action = trap
- On the initiator, ping the
remote_ts
address to open the tunnel- Every packet triggers a new acquisition of the
CHILD_SA
Expected behavior After the tunnel has been opened, packets that match the TS should not be dropped by the trap filter but rather go through the IPsec pipeline. Only one
CHILD_SA
should be installed.Logs/Backtraces For my testing I'm using this
swanctl.conf
configuration for the initiator:connections { host-host-ike { remote_addrs = <responder pub ip> local { auth = pubkey certs = dave_cert.pem id = dave@strongswan.org } remote { auth = pubkey } children { host-host-ipsec { remote_ts = 192.168.1.243 start_action = trap } } version = 2 mobike = no reauth_time = 10800 } }
(Both the initiator and the responder are behind NAT)
Output from
charon-svc.exe
afterping 192.168.1.243
:PS C:\strongSwan> .\charon-svc.exe 00[DMN] Starting IKE service charon-svc (strongSwan 5.9.4, Windows Client 6.2.9200 (SP 0.0) 00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wfp kernel-iph socket-win vici 00[JOB] spawning 16 worker threads 00[DMN] executing start script 'swanctl-load' (swanctl --load-all) no files found matching 'swanctl\conf.d/*.conf' 16[CFG] loaded certificate 'C=IT, O=strongSwan, CN=carol@strongswan.org' 07[CFG] loaded certificate 'C=IT, O=strongSwan, CN=dave@strongswan.org' 11[CFG] loaded certificate 'C=IT, O=strongSwan, CN=strongSwan Root Ca' 15[CFG] loaded RSA private key 09[CFG] loaded RSA private key 12[CFG] added vici connection: host-host-ike 12[CFG] installing 'host-host-ipsec' 00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\carol_cert.pem' 00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\dave_cert.pem' 00[DMN] swanctl-load: loaded certificate from 'swanctl\x509ca\ca_cert.pem' 00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\carol_key.pem' 00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\dave_key.pem' 00[DMN] swanctl-load: no authorities found, 0 unloaded 00[DMN] swanctl-load: no pools found, 0 unloaded 00[DMN] swanctl-load: loaded connection 'host-host-ike' 00[DMN] swanctl-load: successfully loaded 1 connections, 0 unloaded 18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1} 03[IKE] initiating IKE_SA host-host-ike[1] to <responder pub ip> 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 03[NET] sending packet: from 192.168.43.81[49952] to <responder pub ip>[500] (852 bytes) 10[NET] received packet: from <responder pub ip>[500] to 192.168.43.81[49952] (305 bytes) 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 10[IKE] local host is behind NAT, sending keep alives 10[IKE] remote host is behind NAT 10[IKE] received cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca" 10[IKE] sending cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca" 10[IKE] authentication of 'dave@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful 10[IKE] sending end entity cert "C=IT, O=strongSwan, CN=dave@strongswan.org" 10[IKE] establishing CHILD_SA host-host-ipsec{2} reqid 1 10[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 10[ENC] splitting IKE message (1888 bytes) into 2 fragments 10[ENC] generating IKE_AUTH request 1 [ EF(1/2) ] 10[ENC] generating IKE_AUTH request 1 [ EF(2/2) ] 10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (724 bytes) 07[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (1236 bytes) 07[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] 07[ENC] received fragment #1 of 2, waiting for complete IKE message 09[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (596 bytes) 09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] 09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1760 bytes) 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] 09[IKE] received end entity cert "C=IT, O=strongSwan, CN=carol@strongswan.org" 09[CFG] using trusted ca certificate "C=IT, O=strongSwan, CN=strongSwan Root Ca" 09[CFG] reached self-signed root ca with a path length of 0 09[CFG] using trusted certificate "C=IT, O=strongSwan, CN=carol@strongswan.org" 09[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful 09[IKE] IKE_SA host-host-ike[1] established between 192.168.43.81[dave@strongswan.org]...<responder pub ip>[carol@strongswan.org] 09[IKE] scheduling reauthentication in 10759s 09[IKE] maximum IKE_SA lifetime 11839s 09[CFG] selected proposal: ESP:AES_GCM_16_128 09[IKE] CHILD_SA host-host-ipsec{2} established with SPIs c9250ce6_i ce7bd593_o and TS 192.168.43.81/32 === 192.168.1.243/32 09[IKE] received AUTH_LIFETIME of 10499s, scheduling reauthentication in 9419s 18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1} 08[IKE] establishing CHILD_SA host-host-ipsec{3} reqid 1 08[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ] 08[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes) 04[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes) 04[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ] 04[CFG] selected proposal: ESP:AES_GCM_16_128 04[IKE] CHILD_SA host-host-ipsec{3} established with SPIs c967fe48_i cae00955_o and TS 192.168.43.81/32 === 192.168.1.243/32 18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1} 13[IKE] establishing CHILD_SA host-host-ipsec{4} reqid 1 13[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] 13[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes) 12[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes) 12[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] 12[CFG] selected proposal: ESP:AES_GCM_16_128 12[IKE] CHILD_SA host-host-ipsec{4} established with SPIs c89f2a1a_i c7218e68_o and TS 192.168.43.81/32 === 192.168.1.243/32 18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1} 11[IKE] establishing CHILD_SA host-host-ipsec{5} reqid 1 11[ENC] generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ] 11[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes) 14[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes) 14[ENC] parsed CREATE_CHILD_SA response 4 [ SA No TSi TSr ] 14[CFG] selected proposal: ESP:AES_GCM_16_128 14[IKE] CHILD_SA host-host-ipsec{5} established with SPIs c8e21b80_i c0bac50f_o and TS 192.168.43.81/32 === 192.168.1.243/32
PS C:\strongSwan> .\swanctl.exe -l host-host-ike: #1, ESTABLISHED, IKEv2, 39d9b5588f2af5ed_i* 9b1382cd647d66a0_r local 'dave@strongswan.org' @ 192.168.43.81[49953] remote 'carol@strongswan.org' @ <responder pub ip>[4500] AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 established 9s ago, reauth in 9410s host-host-ipsec: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128 installed 9s ago, rekeying in 3387s, expires in 3951s in c9250ce6, 0 bytes, 0 packets out ce7bd593, 0 bytes, 0 packets local 192.168.43.81/32 remote 192.168.1.243/32 host-host-ipsec: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128 installed 9s ago, rekeying in 3388s, expires in 3952s in c967fe48, 0 bytes, 0 packets out cae00955, 0 bytes, 0 packets local 192.168.43.81/32 remote 192.168.1.243/32 host-host-ipsec: #4, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128 installed 8s ago, rekeying in 3389s, expires in 3953s in c89f2a1a, 0 bytes, 0 packets out c7218e68, 0 bytes, 0 packets local 192.168.43.81/32 remote 192.168.1.243/32 host-host-ipsec: #5, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128 installed 7s ago, rekeying in 3390s, expires in 3954s in c8e21b80, 0 bytes, 0 packets out c0bac50f, 0 bytes, 0 packets local 192.168.43.81/32 remote 192.168.1.243/32
Things I've tried
- Change the weight of every WFP filter for IPsec SAs to a fixed higher value than that used by traps -> no change
- Move trap filters to the FWPM_LAYER_OUTBOUND_IPPACKET_V4/V6 layers; quoting the official docs for WFP, at this layer Any IPsec authentication and encryption has already occurred. -> no change
- Connect using the Windows native "agile" IKEv2 client after letting strongSwan install traps -> the VPN client successfully connects but traffic is still dropped by the trap before it can be transformed by IPsec. This I think confirms that the problem is not in how IPsec policies are installed (maybe?)
- Uninstall trap policies after adding the corresponding SAs, and reinstalling them after the SAs are dropped -> this works, of course, but is very ugly and probably not suitable for every situation
Responder:
Initiator:
Describe the bug Trap policies installed by kernel-wfp on Windows initiators apparently have higher priority than IPsec filters, thus they get triggered even after the installation of the main IPsec filters. This means that communication over the secure channel cannot happen as all packets get dropped by the trap filter.
Note that this is not a new bug.
To Reproduce Steps to reproduce the behavior:
start_action = trap
remote_ts
address to open the tunnelCHILD_SA
Expected behavior After the tunnel has been opened, packets that match the TS should not be dropped by the trap filter but rather go through the IPsec pipeline. Only one
CHILD_SA
should be installed.Logs/Backtraces For my testing I'm using this
swanctl.conf
configuration for the initiator:(Both the initiator and the responder are behind NAT)
Output from
charon-svc.exe
afterping 192.168.1.243
:Things I've tried