[vpn-devel] SHA2 Inteoperability issues?

Matthew Grooms mgrooms at shrew.net
Tue May 21 14:11:00 CDT 2013 

Hi Mark,

I am the primary developer of the Shrew Soft VPN client. All of our 
compatibility testing for SHA2 was performed against Linux and FreeBSD 
kernel mode IPsec. I don't think any of the Cisco devices in my lab 
support SHA2. I will make sure my target gateways are up to date and 
perform some additional compatibility testing. If I can reproduce your 
failure test case, I will make sure this gets fixed for the upcoming 
2.2.1 release and illicit your feedback for confirmation.

Thanks,

-Matthew

On 5/20/2013 6:12 PM, Mark Larwill wrote:
> This sounds like a good idea, but actually, I already knew the original
> Linux handled SHA2-256 wrong, (incorrectly assuming a truncated length
> of 96 bits). Our firewall is Linux based and I had run into the same
> problem, and fixed it. There's an extra parameter we can pass to specify
> the truncated length as 128 bits, which we do pass to Linux only in the
> SHA2-256 case.
>
> In my case what I'm seeing is that all three SHA2 variants are failing
> (negotiation works traffic doesn't pass), and in each case I'm seeing
> the logs show up as an integrity check failing.
>
> I'm curious to know from any of the shrew developers or QA if they've
> done any testing with Cisco boxes. We tested SHA2 for branch office VPN
> from WatchGuard to a Cisco box and that worked. Since we already had the
> Cisco box we also tested both mobile vpn with IPSec clients (Shrew
> client, and NCP client) with the Cisco box, and we saw similar results,
> NCP worked, Shrew did not. I have this log from the Cisco box from when
> we tried to get it to work with Shrew:
>
> CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection
> id=179 local=16.0.0.200 remote=16.0.0.190 spi=030DA0F6 seqno=00000001
>
> --Mark Larwill
>
>
>
> On Mon, May 20, 2013 at 3:52 PM, Paul Wouters <paul at nohats.ca
> <mailto:paul at nohats.ca>> wrote:
>
>     On Mon, 20 May 2013, Mark Larwill wrote:
>
>         I'm a developer at WatchGuard and I'm working on adding SHA2
>         support for SHA2-256, SHA2-384, and SHA2-512 to our firewall. I have
>         noticed that when testing with NCP's mobile VPN client,
>         everything works. When I test with Shrew's client it does not
>         work. Here's
>         what I know:
>         1. Phase1 and Phase2 both complete successfully
>         2. If I send ping traffic, Shrew does generate ESP packets
>         3. ESP packets are dropped at the firewall and a log message is
>         generated saying that "Integrity check failed"
>
>         May 20 20:45:30 2013 Firebox local0.warn kernel: [ 1553.257472]
>         WG: Packet rejected. Gateways (src 4.4.4.1 dst 8.8.8.1) Selector
>         (src
>         77.0.0.1 dst 0.0.0.0) spi 0xb5d723ce proto 50 reason "Integrity
>         check failed"
>
>         I understand that the problem could be on either side, so at
>         this point it is not clear if the Shrew client is doing
>         something wrong,
>         or if the firewall is. However if I had to make an educated
>         guess, I would speculate that maybe the shrew client is sending
>         the full
>         SHA2 hash, instead of the truncated value (per RFC4868). This
>         could cause the integrity check to fail. For example if using
>         SHA2-256
>         and sending a 100 byte packet, with a full 32 bytes of hash, for
>         a total of 132 bytes, the firewall might assume it's a 116 byte
>         packet with 16 bytes of truncated hash.
>
>
>     The Linux kernel implemented sha2_256 wrong. It used a draft instead of
>     the final RFC document. They then fixed it using a different xfrm_algo
>     struct in the kernel. So if your software uses the old method, it will
>     fail with RFC compliant devices. If your software uses the new method,
>     it will fail with older Linux kernels. Note that SHA2-384 and SHA2-512
>     were correctly implemented, so you can test with that see if this is
>     indeed your problem (assuming you use shrew on linux)
>
>     For libreswan/openswan, we introduced the sha2_truncbug= option to be
>     able to do both:
>
>             sha2_truncbug
>                 The default hash truncation for sha2_256 is 128 bits. Linux
>                 implemented the draft version which stated 96 bits. This
>     option
>                 enables using the bad 96 bits version to interop with
>     older linux
>                 kernels (unpatched version 2.6.33 and older) and
>     libreswan versions
>                 before 2.6.38. Currently the accepted values are no,
>     (the default)
>                 signifying default IETF truncation of 128 bits, or yes,
>     signifying
>                 96 bits broken Linux kernel style truncation.
>
>     You can find the code in openswan/libreswan in
>     programs/pluto/kernel_netlink.__c
>
>     Paul
>
>
>
>
> _______________________________________________
> vpn-devel mailing list
> vpn-devel at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-devel
>

More information about the vpn-devel mailing list