Synopsis: iked fails to log when it receives unsupported configuration payload
types, making it difficult to diagnose when valid peer configurations are being
ignored.
Description:
The IKEv2 daemon (iked) currently has incomplete handling of configuration
payloads
received from peers. While iked supports sending various configuration types
(like INTERNAL_IP4_NETMASK, INTERNAL_IP4_NBNS, etc.), it only processes
INTERNAL_IP4_ADDRESS and INTERNAL_IP4_DNS when receiving configurations.
The more serious issue is that iked silently drops unsupported
configuration
types without any warning to administrators. This creates several problems:
1. Configuration asymmetry where iked appears to support options it cannot
process
2. No visibility into ignored configurations that may be critical for the
VPN
3. Potential security issues if network restrictions configured by peers
are dropped
4. Interoperability problems when valid peer configurations are ignored
This behavior violates the principle of least surprise - administrators
expect
configurations to either be processed or result in explicit warnings/errors.
Fix:
The proposed fix adds explicit logging when iked receives unsupported
configuration
types. This provides immediate visibility to administrators when
configurations
are being ignored, allowing them to:
1. Identify mismatched configuration expectations between peers
2. Debug interoperability issues
3. Determine if critical security configurations are being dropped
4. Make informed decisions about VPN configuration compatibility
The fix adds a default case in ikev2_pld_cp() that logs the configuration
type
and length being ignored. This is an intermediate fix while full
configuration
payload processing is implemented.
Future work should implement handlers for the remaining configuration types
to achieve feature parity between sent and received configurations.
The logging uses existing infrastructure (log_info) and includes:
- SA identifier for context
- Configuration type (mapped to human readable string)
- Configuration length for debugging
Index: ikev2_pld.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
diff -u -p -u -r1.136 ikev2_pld.c
--- ikev2_pld.c 13 Jul 2024 12:22:46 -0000 1.136
+++ ikev2_pld.c 4 Jan 2025 17:16:56 -0000
@@ -2036,7 +2036,13 @@ ikev2_pld_cp(struct iked *env, struct ik
break;
}
break;
+ default:
+ log_info("%s: ignoring unsupported configuration type
%s length %d",
+ SPI_SA(msg->msg_sa, __func__),
+ print_map(cfg_type, ikev2_cfg_map),
+ betoh16(cfg->cfg_length));
+ break;
}
skip:
ptr += betoh16(cfg->cfg_length);
