[strongSwan-dev] Need clarification on INVALID-ID-INFORMATION notify message of quickmode negotiation

Hussaina Begum Nandyala hnandyala at vmware.com
Fri Nov 2 15:13:14 CET 2018 

Hi,

With IKEv1, when strongSwan(as responder) sends INVALID-ID-INFORMATION for IDii/IDir mismatch, it does not send SPI value of IKE SA. However, it sends 0 SPI in the quickmode negotiation along with HASH payload and N(INVALID-ID-INFORMATION).
As per https://tools.ietf.org/html/rfc2408#section-2.4, this response message should under line no(4). I think, line(5) is for KE/ID payloads of main mode.

Can someone clarify, whether strongSwan should send valid SPI with the N(INVALID-ID-INFORMATION) or not ?

#             Operation            I-Cookie  R-Cookie  Message ID  SPI
(1)  Start ISAKMP SA negotiation    X         0         0           0
(2)  Respond ISAKMP SA negotiation  X         X         0           0
(3)  Init other SA negotiation      X         X         X           X
(4)  Respond other SA negotiation   X         X         X           X
(5)  Other (KE, ID, etc.)           X         X         X/0         NA
(6)  Security Protocol (ESP, AH)    NA        NA        NA          X


Here is the snip of the packet trace (strongSwan peer is 1.1.5.100) –
IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len=  216, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid
IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len=  148, mID=00000000, HDR, SA, Vid, Vid, Vid
IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len=  356, mID=00000000, HDR, KE, Nonce, PRV, PRV
IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len=  372, mID=00000000, HDR, KE, Nonce, PRV, PRV
IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len=   92, mID=00000000, HDR, ID, HASH, N(INITIAL_CONTACT)
IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len=   76, mID=00000000, HDR, ID, HASH
IKEv1 packet S(192.168.128.1:500 -> 1.1.5.100:500): len=  460, mID=8956a6b8, HDR, HASH, SA, Nonce, KE, ID, ID
IKEv1 packet R(192.168.128.1:500 <- 1.1.5.100:500): len=   76, mID=bd816a46, HDR, HASH, N(INVALID_ID_INFORMATION)


Thanks & Regards,
Hussaina N.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20181102/f5fdeab1/attachment.html>

More information about the Dev mailing list