Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
[patch] adopt to server-suggested lifetime
stefan.seyfried at googlemail
Nov 7, 2011, 6:45 AM
Post #1 of 4 (1437 views)
Permalink
Hi all,

the attached patch against the vpnc-nortel branch adds
support for the Fritz!Box VPN's behaviour.

AFAIU it, the flow is as following:

* vpnc suggests a lifetime of 2147483
* the fritzbox does not like lifetimes of > 1hour
=> this triggers an assert() in lifetime_ike_process()
* if the assert is skipped, we later bail out in do_phase1_am_packet2()
due to an unknown ISAKMP_PAYLOAD_N

The patch now does:
* disarm the assert() in lifetime_ike_process(), instead just log
a debug message
* add parsing of the lifetime attribuet for ISAKMP_PAYLOAD_N in
do_phase1_am_packet2()

With this, vpnc adopts to the server-suggested 3600 seconds lifetime.

Note: this patch was developed simply by watching and interpreting the
debug output of vpnc, no reading of the RFCs or similar was involved.
Especially, I have almost zero knowledge of IPSEC, ISAKMP and similar.

Best regards,

Stefan
--
Stefan Seyfried

"Dispatch war rocket Ajax to bring back his body!"

Attached Files:

Re: [patch] adopt to server-suggested lifetime [ In reply to ]
borneo.antonio at gmail
Nov 7, 2011, 7:27 PM
Post #2 of 4 (1420 views)
Permalink
On Mon, Nov 7, 2011 at 10:45 PM, Stefan Seyfried
<stefan.seyfried@googlemail.com> wrote:
> Hi all,
>
> the attached patch against the vpnc-nortel branch adds
> support for the Fritz!Box VPN's behaviour.
>
> AFAIU it, the flow is as following:
>
> * vpnc suggests a lifetime of 2147483
> * the fritzbox does not like lifetimes of > 1hour
>  ==> it responds with a zero length lifetime message
>    => this triggers an assert() in lifetime_ike_process()
> * if the assert is skipped, we later bail out in do_phase1_am_packet2()
>  due to an unknown ISAKMP_PAYLOAD_N
>
> The patch now does:
> * disarm the assert() in lifetime_ike_process(), instead just log
>  a debug message
> * add parsing of the lifetime attribuet for ISAKMP_PAYLOAD_N in
>  do_phase1_am_packet2()
>
> With this, vpnc adopts to the server-suggested 3600 seconds lifetime.
>
> Note: this patch was developed simply by watching and interpreting the
> debug output of vpnc, no reading of the RFCs or similar was involved.
> Especially, I have almost zero knowledge of IPSEC, ISAKMP and similar.

Hi Stefan,

I will test it with Nortel connection.
I think there could be one issue but I need to verify.
In my case, Nortel server uses a lifetime of 8 hours, but agrees on
the minimum lifetime between what the client proposes and the internal
settings of 8 hours.
Since key re-negotiation is not implemented, I have to restart vpnc
every 8 hours. Boring but acceptable.
With your patch the client will force Nortel server to use lifetime of
just one hour; this could become unacceptable.

Is there any other way to implement it?
What if we just remove/rewrite the assert and implement the lifetime
attribute parsing in do_phase1_am_packet2() ?

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: [patch] adopt to server-suggested lifetime [ In reply to ]
stefan.seyfried at googlemail
Nov 8, 2011, 12:01 AM
Post #3 of 4 (1423 views)
Permalink
Hi Antonio,

On 08.11.2011 04:27, Antonio Borneo wrote:

> On Mon, Nov 7, 2011 at 10:45 PM, Stefan Seyfried
> <stefan.seyfried@googlemail.com> wrote:


>> the attached patch against the vpnc-nortel branch adds
>> support for the Fritz!Box VPN's behaviour.


>> With this, vpnc adopts to the server-suggested 3600 seconds lifetime.
>>
>> Note: this patch was developed simply by watching and interpreting the
>> debug output of vpnc, no reading of the RFCs or similar was involved.
>> Especially, I have almost zero knowledge of IPSEC, ISAKMP and similar.
>
> Hi Stefan,
>
> I will test it with Nortel connection.
> I think there could be one issue but I need to verify.
> In my case, Nortel server uses a lifetime of 8 hours, but agrees on
> the minimum lifetime between what the client proposes and the internal
> settings of 8 hours.


I don't think thats what happens.

I *think* what happens without the patch is:

* vpnc suggests 2147483 seconds
* fritzbox rejects this (sending an "invalid" IKE_ATTRIB_LIFE_DURATION
with isakmp_attr_lots and lots.length == 0)
* later, fritzbox proposes 3600 seconds
comes at an unexpected time.
vpnc will think it lasts for 2147483 seconds albeit the fritzbox
will just stop responding after one hour.

The old patch from Florian Echtler at
http://permalink.gmane.org/gmane.network.vpnc.devel/3435 would have
changed this to propose 3600 seconds always, which would then lead to
the problem that all connections would die after 1 hour...

> Since key re-negotiation is not implemented, I have to restart vpnc
> every 8 hours. Boring but acceptable.


seen my next patch? The ugly "RFC" one? It adresses this for me. But
"ugly" is probably not enough to describe it ;-)

> With your patch the client will force Nortel server to use lifetime of
> just one hour; this could become unacceptable.


I don't think it will, but I have only tested it against the fritzbox
vpn. Just try it. With --debug=2 I can see the "used X|Y seconds"
counting up with Y is what we got from the lifetime.

Does the nortel actually send an "lifetime=8hours" proposal?

> Is there any other way to implement it?
> What if we just remove/rewrite the assert and implement the lifetime

> attribute parsing in do_phase1_am_packet2() ?


I have not the slightes idea of how this works. I basically just looked
at the debug output (full dump) to find out what vpnc was complaining
about. Then I fixed the issues I saw. I don't think I'm the person to
judge how to do this "correct" :-)

Best regards,

Stefan
--
Stefan Seyfried
Linux Consultant & Developer
Mail: seyfried@b1-systems.de GPG Key: 0x731B665B

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: [patch] adopt to server-suggested lifetime [ In reply to ]
borneo.antonio at gmail
Nov 8, 2011, 7:06 AM
Post #4 of 4 (1415 views)
Permalink
On Tue, Nov 8, 2011 at 4:01 PM, Stefan Seyfried
<stefan.seyfried@googlemail.com> wrote:
> Hi Antonio,
>
> On 08.11.2011 04:27, Antonio Borneo wrote:
>> Hi Stefan,
>>
>> I will test it with Nortel connection.
>> I think there could be one issue but I need to verify.
>> In my case, Nortel server uses a lifetime of 8 hours, but agrees on
>> the minimum lifetime between what the client proposes and the internal
>> settings of 8 hours.
>
> I don't think thats what happens.
> ...
> The old patch from Florian Echtler at
> http://permalink.gmane.org/gmane.network.vpnc.devel/3435 would have
> changed this to propose 3600 seconds always, which would then lead to
> the problem that all connections would die after 1 hour...

Hi Stefan,
you are right, Florian's patch would force 1 hour, while your approach
does not change current behaviour.
Patch tested, does not impact Nortel functionality.

>> Since key re-negotiation is not implemented, I have to restart vpnc
>> every 8 hours. Boring but acceptable.
>
> seen my next patch? The ugly "RFC" one? It adresses this for me. But
> "ugly" is probably not enough to describe it ;-)

Yes, I read it and I don't like it, even if I agree it can be useful.
Comments from list users are welcome.

Best Regards,
Antonio Borneo
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal