[strongSwan] New Problems with Juniper SRX after FW Upgrade - INVALID_ID_INFORMATION
Andreas Steffen
andreas.steffen at strongswan.org
Fri Apr 9 11:25:25 CEST 2010
Hi Daniel,
the problem is the following:
Apr 9 09:13:58 id-soft pluto[29125]:
"DUS" #2: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500
but are 17/0
Section 4.6.2 "Identification Payload Content" of RFC 2407 states the
following requirement:
During Phase I negotiations, the ID port and protocol fields MUST be
set to zero or to UDP port 500. If an implementation receives any
other values, this MUST be treated as an error and the security
association setup MUST be aborted. This event SHOULD be auditable.
Thus the Juniper SRX box clearly does not comply with RFC 2407.
Regards
Andreas
Daniel.Fritz at geneva-id.com wrote:
> Hi there,
>
> we got new problems with Juniper SRX after upgrade to JUNOS 10.1R1.8. It
> seams to be a problems with the proxy-id settings
> ( INVALID_ID_INFORMATION).
> I have tested all possible settings with internal and extenal IPs without
> success.
>
> Has somebody a idea ?
>
> Apr 9 09:13:58 id-soft pluto[29125]: | *received 68 bytes from
> 217.1xx.1xx.242:500 on eth0
> Apr 9 09:13:58 id-soft pluto[29125]: | 3d 4e 2f 87 6b 39 7c 58 1e ef
> b6 21 0d e4 d4 d2
> Apr 9 09:13:58 id-soft pluto[29125]: | 05 10 02 01 00 00 00 00 00 00
> 00 44 40 99 15 21
> Apr 9 09:13:58 id-soft pluto[29125]: | b7 6d 48 ab 37 66 9b b7 cb 85
> 6e 56 30 86 03 40
> Apr 9 09:13:58 id-soft pluto[29125]: | 1c 60 be 86 3d 75 6d 21 90 9a
> 14 67 86 61 ff b4
> Apr 9 09:13:58 id-soft pluto[29125]: | e9 5d e3 d3
> Apr 9 09:13:58 id-soft pluto[29125]: | **parse ISAKMP Message:
> Apr 9 09:13:58 id-soft pluto[29125]: | initiator cookie:
> Apr 9 09:13:58 id-soft pluto[29125]: | 3d 4e 2f 87 6b 39 7c 58
> Apr 9 09:13:58 id-soft pluto[29125]: | responder cookie:
> Apr 9 09:13:58 id-soft pluto[29125]: | 1e ef b6 21 0d e4 d4 d2
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type:
> ISAKMP_NEXT_ID
> Apr 9 09:13:58 id-soft pluto[29125]: | ISAKMP version: ISAKMP Version
> 1.0
> Apr 9 09:13:58 id-soft pluto[29125]: | exchange type:
> ISAKMP_XCHG_IDPROT
> Apr 9 09:13:58 id-soft pluto[29125]: | flags: ISAKMP_FLAG_ENCRYPTION
> Apr 9 09:13:58 id-soft pluto[29125]: | message ID: 00 00 00 00
> Apr 9 09:13:58 id-soft pluto[29125]: | length: 68
> Apr 9 09:13:58 id-soft pluto[29125]: | ICOOKIE: 3d 4e 2f 87 6b 39 7c 58
> Apr 9 09:13:58 id-soft pluto[29125]: | RCOOKIE: 1e ef b6 21 0d e4 d4 d2
> Apr 9 09:13:58 id-soft pluto[29125]: | peer: d9 c7 c3 f2
> Apr 9 09:13:58 id-soft pluto[29125]: | state hash entry 25
> Apr 9 09:13:58 id-soft pluto[29125]: | state object #2 found, in
> STATE_MAIN_I3
> Apr 9 09:13:58 id-soft pluto[29125]: | received encrypted packet from
> 217.1xx.1xx.242:500
> Apr 9 09:13:58 id-soft pluto[29125]: | decrypting 40 bytes using algorithm
> 3DES_CBC
> Apr 9 09:13:58 id-soft pluto[29125]: | decrypted:
> Apr 9 09:13:58 id-soft pluto[29125]: | 08 00 00 0c 01 11 00 00 d9 c7
> c3 f2 00 00 00 18
> Apr 9 09:13:58 id-soft pluto[29125]: | c0 63 04 9a 12 be 57 80 0c 92
> 9d cc a9 5b de 35
> Apr 9 09:13:58 id-soft pluto[29125]: | f9 0e 12 b1 00 00 00 00
> Apr 9 09:13:58 id-soft pluto[29125]: | next IV: 86 61 ff b4 e9 5d e3 d3
> Apr 9 09:13:58 id-soft pluto[29125]: | ***parse ISAKMP Identification
> Payload:
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type:
> ISAKMP_NEXT_HASH
> Apr 9 09:13:58 id-soft pluto[29125]: | length: 12
> Apr 9 09:13:58 id-soft pluto[29125]: | ID type: ID_IPV4_ADDR
> Apr 9 09:13:58 id-soft pluto[29125]: | DOI specific A: 17
> Apr 9 09:13:58 id-soft pluto[29125]: | DOI specific B: 0
> Apr 9 09:13:58 id-soft pluto[29125]: | ***parse ISAKMP Hash Payload:
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type:
> ISAKMP_NEXT_NONE
> Apr 9 09:13:58 id-soft pluto[29125]: | length: 24
> Apr 9 09:13:58 id-soft pluto[29125]: | removing 4 bytes of padding
> Apr 9 09:13:58 id-soft pluto[29125]: "DUS" #2: protocol/port in Phase 1 ID
> Payload must be 0/0 or 17/500 but are 17/0
> Apr 9 09:13:58 id-soft pluto[29125]: "DUS" #2: sending encrypted
> notification INVALID_ID_INFORMATION to 217.1xx.1xx.242:500
> Apr 9 09:13:58 id-soft pluto[29125]: | **emit ISAKMP Message:
> Apr 9 09:13:58 id-soft pluto[29125]: | initiator cookie:
> Apr 9 09:13:58 id-soft pluto[29125]: | 3d 4e 2f 87 6b 39 7c 58
> Apr 9 09:13:58 id-soft pluto[29125]: | responder cookie:
> Apr 9 09:13:58 id-soft pluto[29125]: | 1e ef b6 21 0d e4 d4 d2
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type:
> ISAKMP_NEXT_HASH
> Apr 9 09:13:58 id-soft pluto[29125]: | ISAKMP version: ISAKMP Version
> 1.0
> Apr 9 09:13:58 id-soft pluto[29125]: | exchange type: ISAKMP_XCHG_INFO
> Apr 9 09:13:58 id-soft pluto[29125]: | flags: ISAKMP_FLAG_ENCRYPTION
> Apr 9 09:13:58 id-soft pluto[29125]: | message ID: 4d 7c 6c 56
> Apr 9 09:13:58 id-soft pluto[29125]: | ***emit ISAKMP Hash Payload:
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type: ISAKMP_NEXT_N
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting 20 zero bytes of HASH into
> ISAKMP Hash Payload
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP Hash
> Payload: 24
> Apr 9 09:13:58 id-soft pluto[29125]: | ***emit ISAKMP Notification
> Payload:
> Apr 9 09:13:58 id-soft pluto[29125]: | next payload type:
> ISAKMP_NEXT_NONE
> Apr 9 09:13:58 id-soft pluto[29125]: | DOI: ISAKMP_DOI_IPSEC
> Apr 9 09:13:58 id-soft pluto[29125]: | protocol ID: 1
> Apr 9 09:13:58 id-soft pluto[29125]: | SPI size: 0
> Apr 9 09:13:58 id-soft pluto[29125]: | Notify Message Type:
> INVALID_ID_INFORMATION
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting 0 raw bytes of spi into
> ISAKMP Notification Payload
> Apr 9 09:13:58 id-soft pluto[29125]: | spi
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP
> Notification Payload: 12
> Apr 9 09:13:58 id-soft pluto[29125]: | HASH computed:
> Apr 9 09:13:58 id-soft pluto[29125]: | 2a 8a d9 16 ee cd be 13 42 9e
> 2b 8d 7c 83 56 ad
> Apr 9 09:13:58 id-soft pluto[29125]: | f1 37 31 79
> Apr 9 09:13:58 id-soft pluto[29125]: | last Phase 1 IV: 86 61 ff b4 e9
> 5d e3 d3
> Apr 9 09:13:58 id-soft pluto[29125]: | computed Phase 2 IV:
> Apr 9 09:13:58 id-soft pluto[29125]: | f9 f8 99 65 77 a5 5d dc 7a 98
> 3d 7c 49 58 17 ec
> Apr 9 09:13:58 id-soft pluto[29125]: | 6a 07 96 df
> Apr 9 09:13:58 id-soft pluto[29125]: | encrypting:
> Apr 9 09:13:58 id-soft pluto[29125]: | 0b 00 00 18 2a 8a d9 16 ee cd
> be 13 42 9e 2b 8d
> Apr 9 09:13:58 id-soft pluto[29125]: | 7c 83 56 ad f1 37 31 79 00 00
> 00 0c 00 00 00 01
> Apr 9 09:13:58 id-soft pluto[29125]: | 01 00 00 12
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting 4 zero bytes of encryption
> padding into ISAKMP Message
> Apr 9 09:13:58 id-soft pluto[29125]: | encrypting using 3DES_CBC
> Apr 9 09:13:58 id-soft pluto[29125]: | next IV: e6 38 f6 5d be 47 1b a0
> Apr 9 09:13:58 id-soft pluto[29125]: | emitting length of ISAKMP Message:
> 68
> Apr 9 09:13:58 id-soft pluto[29125]: | sending 68 bytes for ISAKMP notify
> through eth0 to 217.1xx.1xx.242:500:
> Apr 9 09:13:58 id-soft pluto[29125]: | 3d 4e 2f 87 6b 39 7c 58 1e ef
> b6 21 0d e4 d4 d2
> Apr 9 09:13:58 id-soft pluto[29125]: | 08 10 05 01 4d 7c 6c 56 00 00
> 00 44 d9 8b 12 72
> Apr 9 09:13:58 id-soft pluto[29125]: | b1 34 dd a2 14 5d 6d 67 ad 66
> 86 1d 0d e8 65 5b
> Apr 9 09:13:58 id-soft pluto[29125]: | 7b cd 96 99 5e 2e b2 8b 91 f2
> 23 73 e6 38 f6 5d
> Apr 9 09:13:58 id-soft pluto[29125]: | be 47 1b a0
> Apr 9 09:13:58 id-soft pluto[29125]: | state transition function for
> STATE_MAIN_I3 failed: INVALID_ID_INFORMATION
> Apr 9 09:13:58 id-soft pluto[29125]: | next event EVENT_RETRANSMIT in 3
> seconds for #1
>
>
>
> Br Daniel
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list