Stephen Bevan
2016-09-14 20:34:40 UTC
StrongSwan has a HA system that will synchronize the IKE and IPsec HA
state and so does not need to support RFC 6311 when StrongSwan is
configured as a HA cluster.
However, if the peer device is in a HA cluster and would prefer to use
RFC 6311 IKEV2_MESSAGE_ID_SYNC to synchronize the IKE SA message ID
counters then this will not work since StrongSwan does not support
responding to a IKEV2_MESSAGE_ID_SYNC message. As to why the peer
device may prefer to use IKEV2_MESSAGE_ID_SYNC where possible,
consider the case where the peer is actually a small HA cluster of C
devices (say C=3) which act as VPN concentrators for N clients (say
N=60,000) and the traffic is uni-directional (from client to server
and so DPD on the client will continually being triggered due to lack
of traffic from concentrator end). In this case the VPN concentrator
is receiving N/D DPD probes a second where D is the DPD period (say 5
seconds) and that could mean 12,000 IKE HAs a second that need their
sequence numbers synchronizing to the other cluster nodes. That can
certainly be done, but that's a lot of traffic that can be avoided
if both sides support IKEV2_MESSAGE_ID_SYNC.
Attached is a patch
(0001-RFC-6311-IKEV2_MESSAGE_ID_SYNC-responder-support.patch) which
adds minimal RFC 6311 to StrongSwan. Specifially with the patch
applied when StrongSwan initiates a connection then an
IKEV2_MESSAGE_ID_SYNC_SUPPORTED is uncondtionally included in the
IKE_AUTH. If the peer responds with an
IKEV2_MESSAGE_ID_SYNC_SUPPORTED then StrongSwan is now prepared to
accept an INFORMATIONAL message containing an IKEV2_MESSAGE_ID_SYNC
and respond with a IKEV2_MESSAGE_ID_SYNC containing the updated
sequence numbers.
There patch does not include support for
IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED, nor is there any support for
StrongSwan initiating IKEV2_MESSAGE_ID_SYNC on StrongSwan HA failover.
The patch was made against a tree containing the following at the tip :-
commit d9fe0ec7122c1890836226f703a9774958876f3e
Author: Tobias Brunner <***@strongswan.org>
Date: Wed Aug 24 11:34:36 2016 +0200
ikev2: (Re-)Queue tasks used to establish an IKE_SA in reset()
Note that RFC 6311 is rather invasive to the IKEv2 state machine since
it alters message ID numbers. I've tried to fit in with the general
architecture of StrongSwan as best as I understand it. For example,
I'm not entirely clear whether IKEV2_MESSAGE_ID_SYNC_SUPPORTED should
be handled as a task like IKEV2_MESSAGE_ID_SYNC or whether it is
acceptable to handle it in ike_auth.c. I tried both and in the end
decided on putting IKEV2_MESSAGE_ID_SYNC_SUPPORTED in ike_auth.c since
it resulted in a smaller patch.
The patch was lightly tested against a Fortinet FortiGate. I have
some debug showing the IKE SA negotiation, the FortiGate performing a
HA switch, sending IKEV2_MESSAGE_ID_SYNC to StrongSwan, receiving a
reply, re-synchronizing its sequence numbers and DPD in both
directions continuing to work. However, my attempt to include
that in the submission pushed the email about the 100KB limit so
I've omitted them.
state and so does not need to support RFC 6311 when StrongSwan is
configured as a HA cluster.
However, if the peer device is in a HA cluster and would prefer to use
RFC 6311 IKEV2_MESSAGE_ID_SYNC to synchronize the IKE SA message ID
counters then this will not work since StrongSwan does not support
responding to a IKEV2_MESSAGE_ID_SYNC message. As to why the peer
device may prefer to use IKEV2_MESSAGE_ID_SYNC where possible,
consider the case where the peer is actually a small HA cluster of C
devices (say C=3) which act as VPN concentrators for N clients (say
N=60,000) and the traffic is uni-directional (from client to server
and so DPD on the client will continually being triggered due to lack
of traffic from concentrator end). In this case the VPN concentrator
is receiving N/D DPD probes a second where D is the DPD period (say 5
seconds) and that could mean 12,000 IKE HAs a second that need their
sequence numbers synchronizing to the other cluster nodes. That can
certainly be done, but that's a lot of traffic that can be avoided
if both sides support IKEV2_MESSAGE_ID_SYNC.
Attached is a patch
(0001-RFC-6311-IKEV2_MESSAGE_ID_SYNC-responder-support.patch) which
adds minimal RFC 6311 to StrongSwan. Specifially with the patch
applied when StrongSwan initiates a connection then an
IKEV2_MESSAGE_ID_SYNC_SUPPORTED is uncondtionally included in the
IKE_AUTH. If the peer responds with an
IKEV2_MESSAGE_ID_SYNC_SUPPORTED then StrongSwan is now prepared to
accept an INFORMATIONAL message containing an IKEV2_MESSAGE_ID_SYNC
and respond with a IKEV2_MESSAGE_ID_SYNC containing the updated
sequence numbers.
There patch does not include support for
IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED, nor is there any support for
StrongSwan initiating IKEV2_MESSAGE_ID_SYNC on StrongSwan HA failover.
The patch was made against a tree containing the following at the tip :-
commit d9fe0ec7122c1890836226f703a9774958876f3e
Author: Tobias Brunner <***@strongswan.org>
Date: Wed Aug 24 11:34:36 2016 +0200
ikev2: (Re-)Queue tasks used to establish an IKE_SA in reset()
Note that RFC 6311 is rather invasive to the IKEv2 state machine since
it alters message ID numbers. I've tried to fit in with the general
architecture of StrongSwan as best as I understand it. For example,
I'm not entirely clear whether IKEV2_MESSAGE_ID_SYNC_SUPPORTED should
be handled as a task like IKEV2_MESSAGE_ID_SYNC or whether it is
acceptable to handle it in ike_auth.c. I tried both and in the end
decided on putting IKEV2_MESSAGE_ID_SYNC_SUPPORTED in ike_auth.c since
it resulted in a smaller patch.
The patch was lightly tested against a Fortinet FortiGate. I have
some debug showing the IKE SA negotiation, the FortiGate performing a
HA switch, sending IKEV2_MESSAGE_ID_SYNC to StrongSwan, receiving a
reply, re-synchronizing its sequence numbers and DPD in both
directions continuing to work. However, my attempt to include
that in the submission pushed the email about the 100KB limit so
I've omitted them.