I performed some analysis and debugging of the isakmp fragmentaion error. The root cause seems to be a logical error in upstream CVE-2016-10396 patch. When applying this patch, racoon server prevents from DoS but does not recognize a completed reassembly of a isakmp fragemnt chain. This forces racoon clients like Apple iPhones that fragment isakmp messages to retransmit fragemnts which leads to a similar behaviour than the DoS attack, that developers wanted racoon servers to be protect from. So in turn, after a couple of retransmissions racoon server terminates pahse 1 negotiation. This prevents the fragmenting client from accessing the VPN.
Attached is a patch that fixes the fragmentation bug in CVE-2016-10396 patch. The patch has been tested and it works fine with my limited set of VPN clients. Regression tests have not been performed. For your convenience I've updated the PPA (https://launchpad.net/~rdratlos/+archive/ubuntu/racoon) to allow further testing of the attached patch. The patch has been based on debian build 10 of racoon and should be easily applicable to bionic. Please review attached patch and include it into bionic. ** Patch added: "0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch" https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+attachment/5195734/+files/0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1793028 Title: NetBSD CVE Patch Regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
