<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Hi Martin,</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Thank you for the quick response. That's good news that from strongSwan perspective this IKE_SA looks fine.</div><div class="gmail_default" style="font-family:verdana,sans-serif">Will focus on Cisco side then.</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Alexey</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 April 2015 at 17:05, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
> The issue that I'm facing is that SA on Strongswan side is up but stuck in<br>
> "IN-NEG” status on Cisco side (Response is outside of window received 0x1,<br>
> expect 0x2 <= mess_id < 0x2).<br>
<br>
</span>> 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]<br>
[...]<br>
<span class="">> 16[IKE] IKE_SA csr-swan[1] established between 10.10.100.2[C=US, CN=ne.lab.local]...172.20.100.1[CN=router.lab.local, unstructuredName=router.lab.local]<br>
</span><span class="">> 16[IKE] scheduling reauthentication in 86151s<br>
</span><span class="">> 16[IKE] maximum IKE_SA lifetime 86331s<br>
</span><span class="">> 16[IKE] sending end entity cert "C=US, CN=ne.lab.local"<br>
</span><span class="">> 16[IKE] CHILD_SA csr-swan{1} established with SPIs cb262567_i 4d68c4bb_o and TS <a href="http://10.10.100.2/32[gre]" target="_blank">10.10.100.2/32[gre]</a> === <a href="http://172.20.100.1/32[gre]" target="_blank">172.20.100.1/32[gre]</a><br>
</span><span class="">> 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]<br>
</span><span class="">> 16[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>
<br>
</span>From the strongSwan perspective this IKE_SA establishes just fine.<br>
<span class=""><br>
> 05[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>
</span><span class="">> 05[ENC] unknown attribute type (28692)<br>
</span>> 05[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]<br>
<span class="">> 05[IKE] received retransmit of request with ID 1, retransmitting response<br>
<br>
</span>But Cisco keeps retransmitting the IKE_AUTH request, for which<br>
strongSwan keeps resending the response.<br>
<span class=""><br>
> Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0]<br>
> Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>
> IKEv2 IKE_AUTH Exchange RESPONSE<br>
> Payload contents:<br>
> IDr CERT AUTH SA TSi TSr NOTIFY(Unknown - 16403)<br>
><br>
> Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify<br>
> Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet<br>
<br>
</span>The Cisco side receives the IKE_AUTH response, but nonetheless sends a<br>
retransmit for its IKE_AUTH request, but then complains that the message<br>
ID has not advanced.<br>
<span class=""><br>
> Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0]<br>
> Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>
> IKEv2 IKE_AUTH Exchange REQUEST<br>
> Payload contents:<br>
> ENCR<br>
><br>
> Apr 14 13:46:20.667: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2<br>
<br>
</span>I don't see anything wrong on the strongSwan side, the sequence numbers<br>
look correct. Not sure why the CSR does not accept that response but<br>
retransmits the request.<br>
<br>
The "Process auth response notify" for our AUTH_LIFETIME notification<br>
could be some indication, seems that Cisco doesn't know that:<br>
"NOTIFY(Unknown - 16403)". But it should just ignore it if it doesn't<br>
understand that notify.<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
</font></span></blockquote></div><br></div>