[strongSwan] New Problems with Juniper SRX after FW Upgrade - INVALID_ID_INFORMATION

Daniel.Fritz at geneva-id.com Daniel.Fritz at geneva-id.com
Fri Apr 9 10:31:27 CEST 2010 

Hi there,

we got new problems with Juniper SRX after upgrade to JUNOS 10.1R1.8. It
seams to be a problems with the proxy-id settings
( INVALID_ID_INFORMATION).
I have tested all possible settings with internal and extenal IPs without
success.

Has somebody a idea ?

Apr  9 09:13:58 id-soft pluto[29125]: | *received 68 bytes from
217.1xx.1xx.242:500 on eth0
Apr  9 09:13:58 id-soft pluto[29125]: |   3d 4e 2f 87  6b 39 7c 58  1e ef
b6 21  0d e4 d4 d2
Apr  9 09:13:58 id-soft pluto[29125]: |   05 10 02 01  00 00 00 00  00 00
00 44  40 99 15 21
Apr  9 09:13:58 id-soft pluto[29125]: |   b7 6d 48 ab  37 66 9b b7  cb 85
6e 56  30 86 03 40
Apr  9 09:13:58 id-soft pluto[29125]: |   1c 60 be 86  3d 75 6d 21  90 9a
14 67  86 61 ff b4
Apr  9 09:13:58 id-soft pluto[29125]: |   e9 5d e3 d3
Apr  9 09:13:58 id-soft pluto[29125]: | **parse ISAKMP Message:
Apr  9 09:13:58 id-soft pluto[29125]: |    initiator cookie:
Apr  9 09:13:58 id-soft pluto[29125]: |   3d 4e 2f 87  6b 39 7c 58
Apr  9 09:13:58 id-soft pluto[29125]: |    responder cookie:
Apr  9 09:13:58 id-soft pluto[29125]: |   1e ef b6 21  0d e4 d4 d2
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type:
ISAKMP_NEXT_ID
Apr  9 09:13:58 id-soft pluto[29125]: |    ISAKMP version: ISAKMP Version
1.0
Apr  9 09:13:58 id-soft pluto[29125]: |    exchange type:
ISAKMP_XCHG_IDPROT
Apr  9 09:13:58 id-soft pluto[29125]: |    flags: ISAKMP_FLAG_ENCRYPTION
Apr  9 09:13:58 id-soft pluto[29125]: |    message ID:  00 00 00 00
Apr  9 09:13:58 id-soft pluto[29125]: |    length: 68
Apr  9 09:13:58 id-soft pluto[29125]: | ICOOKIE:  3d 4e 2f 87  6b 39 7c 58
Apr  9 09:13:58 id-soft pluto[29125]: | RCOOKIE:  1e ef b6 21  0d e4 d4 d2
Apr  9 09:13:58 id-soft pluto[29125]: | peer:  d9 c7 c3 f2
Apr  9 09:13:58 id-soft pluto[29125]: | state hash entry 25
Apr  9 09:13:58 id-soft pluto[29125]: | state object #2 found, in
STATE_MAIN_I3
Apr  9 09:13:58 id-soft pluto[29125]: | received encrypted packet from
217.1xx.1xx.242:500
Apr  9 09:13:58 id-soft pluto[29125]: | decrypting 40 bytes using algorithm
3DES_CBC
Apr  9 09:13:58 id-soft pluto[29125]: | decrypted:
Apr  9 09:13:58 id-soft pluto[29125]: |   08 00 00 0c  01 11 00 00  d9 c7
c3 f2  00 00 00 18
Apr  9 09:13:58 id-soft pluto[29125]: |   c0 63 04 9a  12 be 57 80  0c 92
9d cc  a9 5b de 35
Apr  9 09:13:58 id-soft pluto[29125]: |   f9 0e 12 b1  00 00 00 00
Apr  9 09:13:58 id-soft pluto[29125]: | next IV:  86 61 ff b4  e9 5d e3 d3
Apr  9 09:13:58 id-soft pluto[29125]: | ***parse ISAKMP Identification
Payload:
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type:
ISAKMP_NEXT_HASH
Apr  9 09:13:58 id-soft pluto[29125]: |    length: 12
Apr  9 09:13:58 id-soft pluto[29125]: |    ID type: ID_IPV4_ADDR
Apr  9 09:13:58 id-soft pluto[29125]: |    DOI specific A: 17
Apr  9 09:13:58 id-soft pluto[29125]: |    DOI specific B: 0
Apr  9 09:13:58 id-soft pluto[29125]: | ***parse ISAKMP Hash Payload:
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type:
ISAKMP_NEXT_NONE
Apr  9 09:13:58 id-soft pluto[29125]: |    length: 24
Apr  9 09:13:58 id-soft pluto[29125]: | removing 4 bytes of padding
Apr  9 09:13:58 id-soft pluto[29125]: "DUS" #2: protocol/port in Phase 1 ID
Payload must be 0/0 or 17/500 but are 17/0
Apr  9 09:13:58 id-soft pluto[29125]: "DUS" #2: sending encrypted
notification INVALID_ID_INFORMATION to 217.1xx.1xx.242:500
Apr  9 09:13:58 id-soft pluto[29125]: | **emit ISAKMP Message:
Apr  9 09:13:58 id-soft pluto[29125]: |    initiator cookie:
Apr  9 09:13:58 id-soft pluto[29125]: |   3d 4e 2f 87  6b 39 7c 58
Apr  9 09:13:58 id-soft pluto[29125]: |    responder cookie:
Apr  9 09:13:58 id-soft pluto[29125]: |   1e ef b6 21  0d e4 d4 d2
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type:
ISAKMP_NEXT_HASH
Apr  9 09:13:58 id-soft pluto[29125]: |    ISAKMP version: ISAKMP Version
1.0
Apr  9 09:13:58 id-soft pluto[29125]: |    exchange type: ISAKMP_XCHG_INFO
Apr  9 09:13:58 id-soft pluto[29125]: |    flags: ISAKMP_FLAG_ENCRYPTION
Apr  9 09:13:58 id-soft pluto[29125]: |    message ID:  4d 7c 6c 56
Apr  9 09:13:58 id-soft pluto[29125]: | ***emit ISAKMP Hash Payload:
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type: ISAKMP_NEXT_N
Apr  9 09:13:58 id-soft pluto[29125]: | emitting 20 zero bytes of HASH into
ISAKMP Hash Payload
Apr  9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP Hash
Payload: 24
Apr  9 09:13:58 id-soft pluto[29125]: | ***emit ISAKMP Notification
Payload:
Apr  9 09:13:58 id-soft pluto[29125]: |    next payload type:
ISAKMP_NEXT_NONE
Apr  9 09:13:58 id-soft pluto[29125]: |    DOI: ISAKMP_DOI_IPSEC
Apr  9 09:13:58 id-soft pluto[29125]: |    protocol ID: 1
Apr  9 09:13:58 id-soft pluto[29125]: |    SPI size: 0
Apr  9 09:13:58 id-soft pluto[29125]: |    Notify Message Type:
INVALID_ID_INFORMATION
Apr  9 09:13:58 id-soft pluto[29125]: | emitting 0 raw bytes of spi into
ISAKMP Notification Payload
Apr  9 09:13:58 id-soft pluto[29125]: | spi
Apr  9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP
Notification Payload: 12
Apr  9 09:13:58 id-soft pluto[29125]: | HASH computed:
Apr  9 09:13:58 id-soft pluto[29125]: |   2a 8a d9 16  ee cd be 13  42 9e
2b 8d  7c 83 56 ad
Apr  9 09:13:58 id-soft pluto[29125]: |   f1 37 31 79
Apr  9 09:13:58 id-soft pluto[29125]: | last Phase 1 IV:  86 61 ff b4  e9
5d e3 d3
Apr  9 09:13:58 id-soft pluto[29125]: | computed Phase 2 IV:
Apr  9 09:13:58 id-soft pluto[29125]: |   f9 f8 99 65  77 a5 5d dc  7a 98
3d 7c  49 58 17 ec
Apr  9 09:13:58 id-soft pluto[29125]: |   6a 07 96 df
Apr  9 09:13:58 id-soft pluto[29125]: | encrypting:
Apr  9 09:13:58 id-soft pluto[29125]: |   0b 00 00 18  2a 8a d9 16  ee cd
be 13  42 9e 2b 8d
Apr  9 09:13:58 id-soft pluto[29125]: |   7c 83 56 ad  f1 37 31 79  00 00
00 0c  00 00 00 01
Apr  9 09:13:58 id-soft pluto[29125]: |   01 00 00 12
Apr  9 09:13:58 id-soft pluto[29125]: | emitting 4 zero bytes of encryption
padding into ISAKMP Message
Apr  9 09:13:58 id-soft pluto[29125]: | encrypting using 3DES_CBC
Apr  9 09:13:58 id-soft pluto[29125]: | next IV:  e6 38 f6 5d  be 47 1b a0
Apr  9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP Message:
68
Apr  9 09:13:58 id-soft pluto[29125]: | sending 68 bytes for ISAKMP notify
through eth0 to 217.1xx.1xx.242:500:
Apr  9 09:13:58 id-soft pluto[29125]: |   3d 4e 2f 87  6b 39 7c 58  1e ef
b6 21  0d e4 d4 d2
Apr  9 09:13:58 id-soft pluto[29125]: |   08 10 05 01  4d 7c 6c 56  00 00
00 44  d9 8b 12 72
Apr  9 09:13:58 id-soft pluto[29125]: |   b1 34 dd a2  14 5d 6d 67  ad 66
86 1d  0d e8 65 5b
Apr  9 09:13:58 id-soft pluto[29125]: |   7b cd 96 99  5e 2e b2 8b  91 f2
23 73  e6 38 f6 5d
Apr  9 09:13:58 id-soft pluto[29125]: |   be 47 1b a0
Apr  9 09:13:58 id-soft pluto[29125]: | state transition function for
STATE_MAIN_I3 failed: INVALID_ID_INFORMATION
Apr  9 09:13:58 id-soft pluto[29125]: | next event EVENT_RETRANSMIT in 3
seconds for #1



Br Daniel

More information about the Users mailing list