kern/52346: Android VPN (IPSEC) setup fails with UDP checksum errors

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/52346: Android VPN (IPSEC) setup fails with UDP checksum errors
From: kardel%netbsd.org@localhost
Date: Wed, 28 Jun 2017 09:45:00 +0000 (UTC)
>Number:         52346
>Category:       kern
>Synopsis:       Android VPN (IPSEC) setup fails with UDP checksum errors
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 28 09:45:00 +0000 2017
>Originator:     kardel%netbsd.org@localhost
>Release:        NetBSD 8.0_BETA
>Organization:
	
>Environment:
	
	
System: NetBSD Gateway 8.0_BETA NetBSD 8.0_BETA (GATEWAY) #0: Wed Jun 28 10:22:03 CEST 2017 kardel@xxx:/fs/raid2a/src/NetBSD/n8/src/obj.amd64/sys/arch/amd64/compile/GATEWAY i386
Architecture: i386
Machine: i386
>Description:
	Setup of IPSEC VPN from Android (4-7) smartphones does not work.
	raccoon negotiation works mostly, but once the SA is established
	the udp checksum error counter keeps increasing and the packets 
	get dropped.

	Using an old checksum fix patch from gnats gets the packets
	through, but the is just a stop gap measure.

	Failing setup (current state):
	2017-06-28T08:08:33.267782+00:00 Gateway racoon - - - INFO: respond new phase 1 negotiation: A.B.C.36[500]<=>D.E.F.66[54056] 
	2017-06-28T08:08:33.268144+00:00 Gateway racoon - - - INFO: begin Identity Protection mode. 
	2017-06-28T08:08:33.271946+00:00 Gateway racoon - - - INFO: received Vendor ID: RFC 3947 
	2017-06-28T08:08:33.272321+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
	2017-06-28T08:08:33.272720+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
	2017-06-28T08:08:33.273120+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
	2017-06-28T08:08:33.273529+00:00 Gateway racoon - - - INFO: received broken Microsoft ID: FRAGMENTATION 
	2017-06-28T08:08:33.273941+00:00 Gateway racoon - - - INFO: received Vendor ID: DPD 
	2017-06-28T08:08:33.274741+00:00 Gateway racoon - - - [D.E.F.66] INFO: Selected NAT-T version: RFC 3947 
	2017-06-28T08:08:33.380892+00:00 Gateway racoon - - - [A.B.C.36] INFO: Hashing A.B.C.36[500] with algo #2  
	2017-06-28T08:08:33.381704+00:00 Gateway racoon - - - INFO: NAT-D payload #0 verified 
	2017-06-28T08:08:33.382097+00:00 Gateway racoon - - - [D.E.F.66] INFO: Hashing D.E.F.66[54056] with algo #2  
	2017-06-28T08:08:33.382930+00:00 Gateway racoon - - - INFO: NAT-D payload #1 doesn't match 
	2017-06-28T08:08:33.383290+00:00 Gateway racoon - - - INFO: NAT detected: PEER 
	2017-06-28T08:08:33.437106+00:00 Gateway racoon - - - [D.E.F.66] INFO: Hashing D.E.F.66[54056] with algo #2  
	2017-06-28T08:08:33.437957+00:00 Gateway racoon - - - [A.B.C.36] INFO: Hashing A.B.C.36[500] with algo #2  
	2017-06-28T08:08:33.438746+00:00 Gateway racoon - - - INFO: Adding remote and local NAT-D payloads. 
	2017-06-28T08:08:33.531282+00:00 Gateway racoon - - - INFO: NAT-T: ports changed to: D.E.F.66[61800]<->A.B.C.36[4500] 
	2017-06-28T08:08:33.531715+00:00 Gateway racoon - - - INFO: KA found: A.B.C.36[4500]->D.E.F.66[61800] (in_use=2) 
	2017-06-28T08:08:33.671851+00:00 Gateway racoon - - - INFO: ISAKMP-SA established A.B.C.36[4500]-D.E.F.66[61800] spi:bde4da111d9ff002:6dc5cbf88793ded1 
	2017-06-28T08:08:33.710131+00:00 Gateway racoon - - - [D.E.F.66] INFO: received INITIAL-CONTACT 
	2017-06-28T08:08:33.711071+00:00 Gateway racoon - - - INFO: purging spi=138460684. 
	2017-06-28T08:08:33.711350+00:00 Gateway racoon - - - INFO: deleting a generated policy. 
	2017-06-28T08:08:33.713001+00:00 Gateway racoon - - - INFO: purging spi=37096200. 
	2017-06-28T08:08:34.716899+00:00 Gateway racoon - - - INFO: respond new phase 2 negotiation: A.B.C.36[4500]<=>D.E.F.66[61800] 
	2017-06-28T08:08:34.730630+00:00 Gateway racoon - - - INFO: Update the generated policy : 10.0.8.198/32[0] A.B.C.36/32[1701] proto=udp dir=in 
	2017-06-28T08:08:34.787365+00:00 Gateway racoon - - - INFO: Adjusting my encmode UDP-Transport->Transport 
	2017-06-28T08:08:34.787637+00:00 Gateway racoon - - - INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
	2017-06-28T08:08:34.849171+00:00 Gateway racoon - - - INFO: IPsec-SA established: ESP/Transport A.B.C.36[4500]->D.E.F.66[61800] spi=202980303(0xc193bcf) 
	2017-06-28T08:08:34.850159+00:00 Gateway racoon - - - INFO: IPsec-SA established: ESP/Transport A.B.C.36[4500]->D.E.F.66[61800] spi=255416436(0xf395874) 
	[ communication ends here ]

	Successful setup with band-aid solution from fix section
	2017-06-28T08:50:15.422354+00:00 Gateway racoon - - - INFO: begin Identity Protection mode. 
	2017-06-28T08:50:15.425008+00:00 Gateway racoon - - - INFO: received Vendor ID: RFC 3947 
	2017-06-28T08:50:15.425336+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
	2017-06-28T08:50:15.425656+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
	2017-06-28T08:50:15.425975+00:00 Gateway racoon - - - INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
	2017-06-28T08:50:15.426296+00:00 Gateway racoon - - - INFO: received broken Microsoft ID: FRAGMENTATION 
	2017-06-28T08:50:15.426615+00:00 Gateway racoon - - - INFO: received Vendor ID: DPD 
	2017-06-28T08:50:15.427190+00:00 Gateway racoon - - - [D.E.F.66] INFO: Selected NAT-T version: RFC 3947 
	2017-06-28T08:50:15.513449+00:00 Gateway racoon - - - [A.B.C.36] INFO: Hashing A.B.C.36[500] with algo #2  
	2017-06-28T08:50:15.514376+00:00 Gateway racoon - - - INFO: NAT-D payload #0 verified 
	2017-06-28T08:50:15.514882+00:00 Gateway racoon - - - [D.E.F.66] INFO: Hashing D.E.F.66[57612] with algo #2  
	2017-06-28T08:50:15.515778+00:00 Gateway racoon - - - INFO: NAT-D payload #1 doesn't match 
	2017-06-28T08:50:15.516253+00:00 Gateway racoon - - - INFO: NAT detected: PEER 
	2017-06-28T08:50:15.554179+00:00 Gateway racoon - - - [D.E.F.66] INFO: Hashing D.E.F.66[57612] with algo #2  
	2017-06-28T08:50:15.554821+00:00 Gateway racoon - - - [A.B.C.36] INFO: Hashing A.B.C.36[500] with algo #2  
	2017-06-28T08:50:15.555419+00:00 Gateway racoon - - - INFO: Adding remote and local NAT-D payloads. 
	2017-06-28T08:50:15.605758+00:00 Gateway racoon - - - INFO: NAT-T: ports changed to: D.E.F.66[58130]<->A.B.C.36[4500] 
	2017-06-28T08:50:15.605981+00:00 Gateway racoon - - - INFO: KA found: A.B.C.36[4500]->D.E.F.66[58130] (in_use=2) 
	2017-06-28T08:50:15.674438+00:00 Gateway racoon - - - INFO: ISAKMP-SA established A.B.C.36[4500]-D.E.F.66[58130] spi:5d2c0f59d34a4711:13cb2478a258e84a 
	2017-06-28T08:50:15.711301+00:00 Gateway racoon - - - [D.E.F.66] INFO: received INITIAL-CONTACT 
	2017-06-28T08:50:15.712442+00:00 Gateway racoon - - - INFO: purging spi=75014854. 
	2017-06-28T08:50:15.712658+00:00 Gateway racoon - - - INFO: deleting a generated policy. 
	2017-06-28T08:50:15.714399+00:00 Gateway racoon - - - INFO: purging spi=244968613. 
	2017-06-28T08:50:16.711657+00:00 Gateway racoon - - - INFO: respond new phase 2 negotiation: A.B.C.36[4500]<=>D.E.F.66[58130] 
	2017-06-28T08:50:16.743801+00:00 Gateway racoon - - - INFO: Update the generated policy : 10.0.8.198/32[0] A.B.C.36/32[1701] proto=udp dir=in 
	2017-06-28T08:50:16.804974+00:00 Gateway racoon - - - INFO: Adjusting my encmode UDP-Transport->Transport 
	2017-06-28T08:50:16.805207+00:00 Gateway racoon - - - INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
	[ missing above ]
	2017-06-28T08:50:16.806462+00:00 Gateway /netbsd - - - key_set_natt_ports: type 2, sport = 58130, dport = 4500
	2017-06-28T08:50:16.806462+00:00 Gateway /netbsd - - - key_set_natt_ports: type 2, sport = 58130, dport = 4500
	2017-06-28T08:50:16.865769+00:00 Gateway /netbsd - - - key_handle_natt_info: type 2, sport = 58130, dport = 4500
	2017-06-28T08:50:16.867046+00:00 Gateway /netbsd - - - key_set_natt_ports: type 2, sport = 4500, dport = 58130
	2017-06-28T08:50:16.867365+00:00 Gateway /netbsd - - - key_handle_natt_info: type 2, sport = 4500, dport = 58130
	2017-06-28T08:50:16.873260+00:00 Gateway racoon - - - INFO: IPsec-SA established: ESP/Transport A.B.C.36[4500]->D.E.F.66[58130] spi=227017815(0xd880457) 
	2017-06-28T08:50:16.874219+00:00 Gateway racoon - - - INFO: IPsec-SA established: ESP/Transport A.B.C.36[4500]->D.E.F.66[58130] spi=47888302(0x2dab7ae) 
	[ communications works - l2tp setup starts ]
	2017-06-28T08:50:17.444637+00:00 Gateway xl2tpd 635 - - Connection established to D.E.F.66, 43576.  Local: 11927, Remote: 16196 (ref=0/0).  LNS session is 'default' 
	2017-06-28T08:50:17.534643+00:00 Gateway xl2tpd 635 - - set queue size for /dev/pts/0 to 32768 
	2017-06-28T08:50:17.542567+00:00 Gateway xl2tpd 635 - - Call established with D.E.F.66, Local: 32025, Remote: 17590, Serial: 1337645123 
	2017-06-28T08:50:17.597676+00:00 Gateway pppd 7793 - - pppd 2.4.7 started by root, uid 0
	2017-06-28T08:50:17.606893+00:00 Gateway pppd 7793 - - set_up_tty: Changed queue size of 8 from 1024 to 32768
	2017-06-28T08:50:17.610306+00:00 Gateway pppd 7793 - - tty_establish_ppp: Changed queue size of 8 from 1024 to 32768
	2017-06-28T08:50:17.613510+00:00 Gateway pppd 7793 - - Using interface ppp0
	2017-06-28T08:50:17.817129+00:00 Gateway pppd 7793 - - Connect: ppp0 <--> /dev/pts/0
	2017-06-28T08:50:20.499316+00:00 Gateway pppd 7793 - - Deflate (15) compression enabled
	2017-06-28T08:50:20.529084+00:00 Gateway pppd 7793 - - sifproxyarp: Cannot determine ethernet address for proxy ARP
	2017-06-28T08:50:20.529358+00:00 Gateway pppd 7793 - - local  IP address 10.200.103.1
	2017-06-28T08:50:20.529572+00:00 Gateway pppd 7793 - - remote IP address 10.200.103.192
	2017-06-28T08:50:20.530953+00:00 Gateway named 350 - - listening on IPv4 interface ppp0, 10.200.103.1#53
	2017-06-28T08:50:24.502080+00:00 Gateway ntpd 654 - - Listen normally on 13 ppp0 10.200.103.1:123

>How-To-Repeat:
	Try to setup L2TP/IPSec RSA VPN from and Android phone. Communication will get stuck on UDP checksum errors
	after IPSEC decryption (see netstat -s).

>Fix:
	This fix was found long ago either in the mailing lists or gnats. Maybe a proper solution
	(differential UDP checksum fix) can be found.

Index: ipsec_input.c
===================================================================
RCS file: /cvsroot/src/sys/netipsec/ipsec_input.c,v
retrieving revision 1.43
diff -u -r1.43 ipsec_input.c
--- ipsec_input.c       19 May 2017 04:34:09 -0000      1.43
+++ ipsec_input.c       28 Jun 2017 09:27:35 -0000
@@ -68,6 +68,8 @@
 #include <netinet/ip_var.h>
 #include <netinet/in_var.h>
 #include <netinet/in_proto.h>
+#include <netinet/udp.h>
+#include <netinet/tcp.h>

 #include <netinet/ip6.h>
 #ifdef INET6
@@ -114,6 +116,63 @@
 } while (/*CONSTCOND*/0)

 /*
+ * fixup TCP/UDP checksum
+ *
+ * XXX: if we have NAT-OA payload from IKE server,
+ *      we must do the differential update of checksum.
+ *
+ * XXX: NAT-OAi/NAT-OAr drived from IKE initiator/responder.
+ *      how to know the IKE side from kernel?
+ */
+static struct mbuf *
+ipsec4_fixup_checksum(struct mbuf *m)
+{
+       struct ip *ip;
+       struct tcphdr *th;
+       struct udphdr *uh;
+       int poff, off;
+       int plen;
+
+       if (m->m_len < sizeof(*ip))
+               m = m_pullup(m, sizeof(*ip));
+       ip = mtod(m, struct ip *); 
+       poff = ip->ip_hl << 2;
+       plen = ntohs(ip->ip_len) - poff;
+
+       switch (ip->ip_p) {
+       case IPPROTO_TCP:
+               IP6_EXTHDR_GET(th, struct tcphdr *, m, poff, sizeof(*th));
+               if (th == NULL)
+                       return NULL;
+               off = th->th_off << 2;
+               if (off < sizeof(*th) || off > plen) {
+                       m_freem(m);
+                       return NULL;
+               }
+               th->th_sum = 0;
+               th->th_sum = in4_cksum(m, IPPROTO_TCP, poff, plen);
+               break;
+       case IPPROTO_UDP:
+               IP6_EXTHDR_GET(uh, struct udphdr *, m, poff, sizeof(*uh));
+               if (uh == NULL)
+                       return NULL;
+               off = sizeof(*uh); 
+               if (off > plen) {  
+                       m_freem(m);
+                       return NULL;
+               }
+               uh->uh_sum = 0;
+               uh->uh_sum = in4_cksum(m, IPPROTO_UDP, poff, plen);
+               break;
+       default:
+               /* no checksum */  
+               return m;
+       }
+
+       return m;
+}
+
+/*
  * ipsec_common_input gets called when an IPsec-protected packet
  * is received by IPv4 or IPv6.  It's job is to find the right SA
  # and call the appropriate transform.  The transform callback
@@ -319,6 +378,22 @@
        ip->ip_len = htons(m->m_pkthdr.len);
        prot = ip->ip_p;

+        /* Update TCP/UDP checksum */
+        m = ipsec4_fixup_checksum(m);
+        if (m == NULL) {
+               char buf[IPSEC_ADDRSTRLEN];
+                DPRINTF(("ipsec4_common_input_cb: processing failed "
+                    "for SA %s/%08lx\n",
+                    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
+                    (u_long) ntohl(sav->spi)));
+                IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
+                    IPCOMP_STAT_HDROPS);
+                error = ENOBUFS;  
+                goto bad;
+        }
+
+
+
        /* IP-in-IP encapsulation */
        if (prot == IPPROTO_IPIP) {
                struct ip ipn;

>Unformatted:
Prev by Date: PR/51179 CVS commit: src
Next by Date: PR/52346 CVS commit: src/sys/netipsec
Previous by Thread: Re: standards/52343 (wcsnrtombs missing man-page)
Next by Thread: PR/52346 CVS commit: src/sys/netipsec
Indexes:
Home | Main Index | Thread Index | Old Index