Bug in setting source IP for IKE packets causes failure to install IPv6 CHILD_SA when built with certain compilers
https://wiki.strongswan.org/issues/1171
Further discussions, tests (thanks Yves-Alexis!) and research showed that this was caused by a bug in the socket-default plugin that manifested itself with newer versions of GCC.
In this particular case (IPv6) the problematic code looks like this:
else
{
char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
struct in6_pktinfo *pktinfo;
struct sockaddr_in6 *sin;
memset(buf, 0, sizeof(buf));
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IPV6;
cmsg->cmsg_type = IPV6_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
sin = (struct sockaddr_in6*)src->get_sockaddr(src);
memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
}The problem is that msg is defined and used (via sendmsg) outside the scope of this
else-block.
Newer versions of GCC (5.2.1 in the tests) optimized the memcpy() call away, the rest of the generated program code remained the same as with earlier versions, though. But without the address being set via IPV6_PKTINFO, the packets were not
sent from the address intended by the IKE daemon.
Why this caused the failure to install the CHILD_SA is because of the source address selection done by the daemon. Due to the option charon.prefer_temporary_addresses=no (default) the daemon intended to send the IKE packets from the static IPv6 address. But because of the issue above this address was not set, so the default source address selection kicked in, with which temporary addresses are preferred by default. Therefore, the packets were sent from the temporary address instead.
However, to build the NAT_DETECTION_SOURCE_IP payload the daemon also used its intended source address (i.e. the static address). This consequently caused mismatch on the responder, which concluded that the initiator is behind a NAT. Because the Linux kernel currently does not support UDP encapsulation for IPv6 this resulted in the failure to install the IPsec SA.
A fix for the bug can be found in the 1171-socket-default-scope branch. A workaround in this particular case is to configure charon.prefer_temporary_addresses=yes, which causes charon to internally use the same source address as the kernel.