[strongSwan] Running Mocana Device Security Framework against strongswan 4.4.0 - DH group MODP_1024 inacceptable, requesting MODP_1024
Dietmar Eggemann
deggeman at gmx.de
Sun Jun 27 23:10:01 CEST 2010
Hi,
I got a problem with IKEv2 IKE_SA_INIT running strongswan-4.4.0 against Mocana
Device Security Framework Version 3.1. on PowerPC targets.
I cross-compiled strongswan without gmp support, i.e. with configure option
--disable-gmp.
Mocana side is the initiator and sends an IKE_SA_INIT Request (1) depicted as an
Ethereal print below. The Key Exchange Payload has DH Group 2 (MODP_1024).
Strongswan's IKE processing prints out the following log message (full log under
(4)):
06[IKE] DH group MODP_1024 inacceptable, requesting MODP_1024
What I don't understand is the fact that it says MODP_1024 is not acceptable but
it requests MODP_1024 at the same time?
Strongswan then sends an IKE_SA_INIT Response (2) (see below) back with a
Notification Payload saying Invalid Key Payload.
The content of strongswan's ipsec.conf file is to be seen under (3).
I have the exact same Mocana code running on a WINXP test system which works
fine against a strongswan 4.2.4 on a Linux PC.
I'm trying to get strongswan 4.2.4 running on the PowerPC target but
cross-compiling without gmp is not that easy with this version. Since I'm using
direct SGMII interfaces I can't just simply use the Linux PC as the Responder.
Any help would be highly appreciated!
Thanks,
-- Dietmar Eggemann
(1) Mocana's IKE_SA_INIT Request
Internet Security Association and Key Management Protocol
Initiator cookie: 00FFD61839FD879A
Responder cookie: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08
.... 1... = Initiator
...0 .... =
..0. .... = Request
Message ID: 0x00000000
Length: 368
Security Association payload
Next payload: Key Exchange (34)
0... .... = Not critical
Payload length: 184
Proposal payload # 1
Next payload: NONE (0)
0... .... = Not critical
Payload length: 180
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 20
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_3DES (3)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 12
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_AES_CBC (12)
Key Length (in bits) (14): Key-Length (128)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 12
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_AES_CBC (12)
Key Length (in bits) (14): Key-Length (192)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 12
Transform type: Encryption Algorithm (ENCR) (1)
Transform ID: ENCR_AES_CBC (12)
Key Length (in bits) (14): Key-Length (256)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_HMAC_SHA1 (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_HMAC_MD5 (1)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: PRF_AES128_CBC (4)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: RESERVED TO IANA (5)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: RESERVED TO IANA (6)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Pseudo-random Function (PRF) (2)
Transform ID: RESERVED TO IANA (7)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_HMAC_SHA1_96 (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_HMAC_MD5_96 (1)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: AUTH_AES_XCBC_96 (5)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: UNKNOWN-INTEGRITY-ALG (12)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: UNKNOWN-INTEGRITY-ALG (13)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Integrity Algorithm (INTEG) (3)
Transform ID: UNKNOWN-INTEGRITY-ALG (14)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: Group 2 - 1024 Bit MODP (2)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: Group 1 - 768 Bit MODP (1)
Transform payload
Next payload: Transform (3)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: group 5 - 1536 Bit MODP (5)
Transform payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 8
Transform type: Diffie-Hellman Group (D-H) (4)
Transform ID: 2048-bit MODP Group (14)
Key Exchange payload
Next payload: Nonce (40)
0... .... = Not critical
Payload length: 136
DH Group #: 2
Key Exchange Data (128 bytes / 1024 bits)
Nonce payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 20
(2) Strongswan's IKE_SA_INIT Response:
Internet Security Association and Key Management Protocol
Initiator cookie: 1F430BAD77C0E391
Responder cookie: 0000000000000000
Next payload: Notification (41)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x20
.... 0... = Responder
...0 .... =
..1. .... = Response
Message ID: 0x00000000
Length: 38
Notification payload
Next payload: NONE (0)
0... .... = Not critical
Payload length: 10
Protocol ID: RESERVED (0)
SPI Size: 0
Message type: INVALID_KE_PAYLOAD (17)
Notification Data
(3) Strongswan's ipsec.conf file:
config setup
plutostart=no
# dmn 4, mgr 4, chd 4, job 4, knl 4, net 4, lib 4
charondebug="ike 4, cfg 4, net 4, enc 4"
conn Mocana_IPv4
type=tunnel
left=172.29.4.2
leftsubnet=0.0.0.0/0
right=172.29.4.1
rightsubnet=0.0.0.0/0
auth=esp
authby=secret
keyexchange=ikev2
ike="aes128-aes256-sha1-modp1024-modp1536-modp2048,3des-sha1-md5-modp1024"
mobike=no
auto=add
(4) Strongswan full log:
-bash-3.2# ipsec start --nofork --debug-all
Starting strongSwan 4.4.0 IPsec [starter]...
no default route - cannot cope with %defaultroute!!!
| Loading config setup
| plutostart=no
| charondebug=dmn -1, mgr -1, ike 4, chd 4, job 4, cfg -1, knl -1, net 4, enc
-1, lib 4
| Loading conn 'Mocana_IPv4'
| type=tunnel
| left=172.29.4.2
| leftsubnet=0.0.0.0/0
| right=172.29.4.1
| rightsubnet=0.0.0.0/0
| auth=esp
| authby=secret
| keyexchange=ikev2
| ike=aes128-aes256-sha1-modp1024-modp1536-modp2048,3des-sha1-md5-modp1024
| mobike=no
| auto=add
| Found netkey IPsec stack
| Attempting to start charon...
00[LIB] plugin 'aes': loaded successfully
00[LIB] plugin 'des': loaded successfully
00[LIB] plugin 'sha1': loaded successfully
00[LIB] plugin 'sha2': loaded successfully
00[LIB] plugin 'md5': loaded successfully
00[LIB] plugin 'random': loaded successfully
00[LIB] plugin 'x509': loaded successfully
00[LIB] plugin 'pubkey': loaded successfully
00[LIB] plugin 'pkcs1': loaded successfully
00[LIB] plugin 'pgp': loaded successfully
00[LIB] plugin 'dnskey': loaded successfully
00[LIB] plugin 'pem': loaded successfully
00[LIB] plugin 'fips-prf': loaded successfully
00[LIB] plugin 'xcbc': loaded successfully
00[LIB] plugin 'hmac': loaded successfully
00[LIB] plugin 'attr': loaded successfully
00[LIB] plugin 'kernel-netlink': loaded successfully
00[NET] unable to create raw socket: Address family not supported by protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[LIB] plugin 'socket-raw': loaded successfully
00[LIB] plugin 'stroke': loaded successfully
00[LIB] plugin 'updown': loaded successfully
00[LIB] plugin 'resolve': loaded successfully
00[JOB] spawning 16 worker threads
16[JOB] started worker thread, ID: 16
16[JOB] no events, waiting
01[JOB] started worker thread, ID: 1
02[JOB] started worker thread, ID: 2
03[JOB] started worker thread, ID: 3
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
05[NET] waiting for data on raw sockets
06[JOB] started worker thread, ID: 6
charon (1827) started after 20 ms
07[JOB] started worker thread, ID: 7
08[JOB] started worker thread, ID: 8
09[JOB] started worker thread, ID: 9
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
13[JOB] started worker thread, ID: 13
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
05[NET] received IPv4 packet => 396 bytes @ 0x4a85b66c
05[NET] 0: 45 00 01 8C 00 00 00 00 40 11 19 24 AC 1D 04 01 E....... at ..$....
05[NET] 16: AC 1D 04 02 01 F4 01 F4 01 78 00 00 00 FF D6 18 .........x......
05[NET] 32: 39 FD 87 9A 00 00 00 00 00 00 00 00 21 20 22 08 9...........! ".
05[NET] 48: 00 00 00 00 00 00 01 70 22 00 00 B8 00 00 00 B4 .......p".......
05[NET] 64: 01 01 00 14 03 00 00 08 01 00 00 03 03 00 00 0C ................
05[NET] 80: 01 00 00 0C 80 0E 00 80 03 00 00 0C 01 00 00 0C ................
05[NET] 96: 80 0E 00 C0 03 00 00 0C 01 00 00 0C 80 0E 01 00 ................
05[NET] 112: 03 00 00 08 02 00 00 02 03 00 00 08 02 00 00 01 ................
05[NET] 128: 03 00 00 08 02 00 00 04 03 00 00 08 02 00 00 05 ................
05[NET] 144: 03 00 00 08 02 00 00 06 03 00 00 08 02 00 00 07 ................
05[NET] 160: 03 00 00 08 03 00 00 02 03 00 00 08 03 00 00 01 ................
05[NET] 176: 03 00 00 08 03 00 00 05 03 00 00 08 03 00 00 0C ................
05[NET] 192: 03 00 00 08 03 00 00 0D 03 00 00 08 03 00 00 0E ................
05[NET] 208: 03 00 00 08 04 00 00 02 03 00 00 08 04 00 00 01 ................
05[NET] 224: 03 00 00 08 04 00 00 05 00 00 00 08 04 00 00 0E ................
05[NET] 240: 28 00 00 88 00 02 00 00 8E AD 84 43 C2 D3 70 4E (..........C..pN
05[NET] 256: BD FD 64 58 10 8F 40 26 FC 82 E7 FE C0 F0 C6 16 ..dX..@&........
05[NET] 272: 55 8B C2 42 53 00 91 74 16 C0 5B 2C A0 07 47 54 U..BS..t..[,..GT
05[NET] 288: A4 35 60 CD 7E AA CF AB 38 5D A8 ED F9 45 6A 9E .5`.~...8]...Ej.
05[NET] 304: 1A F3 6A C0 47 94 5D 6F 5A ED FA D0 03 4D AA CA ..j.G.]oZ....M..
05[NET] 320: 78 59 BD 2E AE E9 1B A1 5A 89 E2 8E 67 39 F4 1B xY......Z...g9..
05[NET] 336: B4 AE A9 75 9D 2D 2B DA 4F 8B 28 AF BB B1 31 AC ...u.-+.O.(...1.
05[NET] 352: EE 18 A2 58 4B 6D 91 40 63 A1 E7 62 45 60 48 96 ...XKm. at c..bE`H.
05[NET] 368: A4 5C 94 85 72 6B 6D 5F 00 00 00 14 8F E6 20 94 .\..rkm_...... .
05[NET] 384: 67 DE 0F 74 A5 68 90 79 48 B9 C8 6C g..t.h.yH..l
05[NET] received packet: from 172.29.4.1[500] to 172.29.4.2[500]
05[NET] waiting for data on raw sockets
06[NET] received packet: from 172.29.4.1[500] to 172.29.4.2[500]
06[IKE] 172.29.4.1 is initiating an IKE_SA
06[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
06[IKE] natd_chunk => 22 bytes @ 0x100552b8
06[IKE] 0: 00 FF D6 18 39 FD 87 9A 00 00 00 00 00 00 00 00 ....9...........
06[IKE] 16: AC 1D 04 02 01 F4 ......
06[IKE] natd_hash => 20 bytes @ 0x10054e88
06[IKE] 0: 10 8E 39 22 4A A4 73 DC 29 F3 B2 62 1A 29 3C 8E ..9"J.s.)..b.)<.
06[IKE] 16: C0 65 68 FB .eh.
06[IKE] natd_chunk => 22 bytes @ 0x100552b8
06[IKE] 0: 00 FF D6 18 39 FD 87 9A 00 00 00 00 00 00 00 00 ....9...........
06[IKE] 16: AC 1D 04 01 01 F4 ......
06[IKE] natd_hash => 20 bytes @ 0x10055a88
06[IKE] 0: 3F 53 BF B6 2C F5 83 DF 88 3B 13 DF 7B 56 01 3B ?S..,....;..{V.;
06[IKE] 16: 0F EC 9A 72 ...r
06[IKE] precalculated src_hash => 20 bytes @ 0x10055a88
06[IKE] 0: 3F 53 BF B6 2C F5 83 DF 88 3B 13 DF 7B 56 01 3B ?S..,....;..{V.;
06[IKE] 16: 0F EC 9A 72 ...r
06[IKE] precalculated dst_hash => 20 bytes @ 0x10054e88
06[IKE] 0: 10 8E 39 22 4A A4 73 DC 29 F3 B2 62 1A 29 3C 8E ..9"J.s.)..b.)<.
06[IKE] 16: C0 65 68 FB .eh.
06[IKE] DH group MODP_1024 inacceptable, requesting MODP_1024
06[NET] sending packet: from 172.29.4.2[500] to 172.29.4.1[500]
06[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
16[JOB] next event in 29s 999ms, waiting
04[NET] sending packet: from 172.29.4.2[500] to 172.29.4.1[500]
More information about the Users
mailing list