[strongSwan] non-zero reserved fields in IKE_AUTH response.
Richard Knight
rjknight at us.ibm.com
Tue Jun 29 15:01:26 CEST 2010
Martin, Thanks for the reply.
I actually did not make any changes to the IKE_SA_INIT packet, I only
changed the reserved fields in the IKE_AUTH message.
Jamie Knight (rjknight at us.ibm.com)
IBM Power Firmware Development
(512) 286-7017 (t/l 386-7017)
office 045/2A-01
IBM Austin, TX
From: Martin Willi <martin at strongswan.org>
To: Richard Knight/Austin/IBM at IBMUS
Cc: users at lists.strongswan.org
Date: 06/29/2010 02:53 AM
Subject: Re: [strongSwan] non-zero reserved fields in IKE_AUTH response.
Hi Richard,
> Could someone point me to where the calculation would start and end in
the
> message below?
Start with the IKE_SA SPIs of the IKE_SA_INIT (_not_ the IKE_AUTH seen
here!):
> | | | IKE_SA Initiator's SPI = c3dfaad709d6bd4b
> | | | IKE_SA Responder's SPI = fd546d59933dbe69
> | | | Next Payload = 46 (E)
> | | | Major Version = 2
> | | | Minor Version = 0
> | | | Exchange Type = 35 (IKE_AUTH)
> | | | Flags = 73 (0b01001001)
> | | | | Reserved (XX000000) = 64
> | | | | Response (00R00000) = 0
> | | | | Version (000V0000) = 0
> | | | | Initiator (0000I000) = 1
> | | | | Reserved (00000XXX) = 1
And include all further bytes of the message. Append the nonce of the
other IKE_SA_INIT packet, and prf(Sk_px, IDx').
> 09[IKE] authentication of '2001:db8:1:1::1234' (myself) with pre-shared
key
> 09[IKE] octets = message + nonce + prf(Sk_px, IDx') => 342 bytes @
0x100636b0
> 09[IKE] 0: CF B9 0A AB 05 DB A9 95 C7 FE 12 99 E1 E9 AD
B7 ................
> 09[IKE] 16: 21 20 22 20
0x22 is IKE_SA_INIT, starting with a SECURITY_ASSOCIATION payload
(0x21).
Flags is 0x20, meaning the responder flag is set only. Did you set other
reserved flags in the IKE_SA_INIT message?
Regards
Martin
More information about the Users
mailing list