<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Hi All,<br>
Please let us know if any one has thoughts about this problem.<br>
<br>
Thanks,<br>
Gowri Shankar<br>
<br>
On Monday 30 July 2012 12:21 PM, Kumuda wrote:
<blockquote cite="mid:50162EE0.20607@linux.vnet.ibm.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<tt>Hi,<br>
<br>
In our test setup, IKE initiator rekeys IKE_SA using
CREATE_CHILD_SA just before <br>
ike_lifetime expires and rekey request is successfully received
by responder node <br>
and response is sent back. <br>
<br>
Initiator has below configuration:<br>
</tt>
<blockquote><tt>rekeymargin=20s<br>
ikelifetime="60s"<br>
keylife="300s"<br>
reauth="no"<br>
</tt></blockquote>
<tt><br>
Also, INFORMATIONAL exchange for DELETE payload by initiator and
responder is <br>
successfully completed at this time. <br>
<br>
Now, responder sends INFORMATIONAL request with Encrypted
payload to </tt> <tt><br>
verify new IKE SA session. Responder also makes sure that, new
SPIs are used in <br>
this request. Here, we observe in charon.log (Initiator), below
failure message. <br>
<br>
Jul 26 01:26:45 12[ENC] parsing ENCRYPTED payload finished </tt>
<tt><br>
Jul 26 01:26:45 12[ENC] verifying payload of type ENCRYPTED <br>
Jul 26 01:26:45 12[ENC] ENCRYPTED payload verified. Adding to
payload list <br>
Jul 26 01:26:45 12[ENC] ENCRYPTED payload found. Stop parsing <br>
Jul 26 01:26:45 12[ENC] process payload of type ENCRYPTED <br>
Jul 26 01:26:45 12[ENC] found an encryption payload <br>
Jul 26 01:26:45 12[ENC] encryption payload decryption: <br>
<br>
Jul 26 01:26:45 12[ENC] 0: DD 1A BC AA D5 54 FB
E0 .....T.. </tt> <tt><br>
Jul 26 01:26:45 12[ENC] encrypted => 20 bytes @
0x7f7b3c000bf8 <br>
Jul 26 01:26:45 12[ENC] 0: D0 6D 64 EE F6 1D AA 1E D8 FA CD
D5 2D FF DF 74 .md.........-..t <br>
Jul 26 01:26:45 12[ENC] 16: 10 D5 1C
93 .... <br>
Jul 26 01:26:45 12[ENC] ICV => 12 bytes @ 0x7f7b3c000c00 <br>
Jul 26 01:26:45 12[ENC] 0: D8 FA CD D5 2D FF DF 74 10 D5 1C
93 ....-..t.... <br>
Jul 26 01:26:45 12[ENC] assoc => 32 bytes @ 0x7f7b3c000c70 <br>
Jul 26 01:26:45 12[ENC] 0: A4 27 73 19 9E F2 69 56 E5 F6 D2
48 C2 E9 CD 9E .'s...iV...H.... <br>
Jul 26 01:26:45 12[ENC] 16: 2E 20 25 00 00 00 00 00 00 00 00
3C 00 00 00 20 . %........<... <br>
Jul 26 01:26:45 12[LIB] MAC verification failed <br>
Jul 26 01:26:45 12[ENC] verifying encryption payload integrity
failed <br>
Jul 26 01:26:45 12[ENC] could not decrypt payloads <br>
Jul 26 01:26:45 12[IKE] integrity check failed <br>
Jul 26 01:26:45 12[IKE] INFORMATIONAL request with message ID 0
processing failed <br>
Jul 26 01:26:45 12[MGR] checkin IKE_SA tahi_ikev2_test[2] <br>
Jul 26 01:26:45 12[MGR] check-in of IKE_SA successful. <br>
Jul 26 01:26:45 09[NET] waiting for data on raw sockets <br>
<br>
What could have gone wrong with the INFORMATIONAL request sent
from responder?<br>
Please provide some pointers for the above failure.<br>
<br>
Thanks and Regards,<br>
Kumuda G<br>
</tt>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>