[strongSwan] non-zero reserved fields in IKE_AUTH response.
Richard Knight
rjknight at us.ibm.com
Tue Jun 29 21:55:21 CEST 2010
Hi Tobias,
The trace file is below.
(See attached file: syslog.txt)
01[CFG] loading control interface modules from
'/usr/lib/ipsec/plugins/interfaces'
01[CFG] loading backend modules from '/usr/lib/ipsec/plugins/backends'
01[KNL] eth0
01[KNL] eth1
01[KNL] 2001:db8:1:1::1234
01[JOB] spawning 16 worker threads
05[CFG] added configuration 'host-host': 2001:db8:1:1::1234
[2001:db8:1:1::1234]...2001:db8:f:1::1[2001:db8:f:1::1]
06[CFG] received stroke: route 'host-host'
04[ENC] parsing HEADER payload, 456 bytes left
04[ENC] parsing payload from => 456 bytes @ 0x1005e270
04[ENC] parsing rule 10 FLAG
04[ENC] parsing rule 11 RESERVED_BIT
04[ENC] parsing rule 12 RESERVED_BIT
04[ENC] parsing rule 13 RESERVED_BIT
04[ENC] parsing rule 14 U_INT_32
10[ENC] parsing body of message, first payload is SECURITY_ASSOCIATION
10[ENC] parsing payload from => 428 bytes @ 0x1005e28c
10[ENC] 40 bytes left, parsing recursively PROPOSAL_SUBSTRUCTURE
10[ENC] parsing payload from => 424 bytes @ 0x1005e290
10[ENC] parsing rule 1 RESERVED_BYTE
10[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 416 bytes left
10[ENC] parsing payload from => 416 bytes @ 0x1005e298
10[ENC] parsing rule 1 RESERVED_BYTE
10[ENC] parsing rule 4 RESERVED_BYTE
10[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 408 bytes left
10[ENC] parsing payload from => 408 bytes @ 0x1005e2a0
10[ENC] parsing rule 1 RESERVED_BYTE
10[ENC] parsing rule 4 RESERVED_BYTE
10[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 400 bytes left
10[ENC] parsing payload from => 400 bytes @ 0x1005e2a8
10[ENC] parsing rule 1 RESERVED_BYTE
10[ENC] parsing rule 4 RESERVED_BYTE
10[ENC] 8 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
10[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 392 bytes left
10[ENC] parsing payload from => 392 bytes @ 0x1005e2b0
10[ENC] parsing rule 1 RESERVED_BYTE
10[ENC] parsing rule 4 RESERVED_BYTE
10[ENC] parsing PROPOSAL_SUBSTRUCTURE payload finished
10[ENC] verifying payload of type SECURITY_ASSOCIATION
10[ENC] parsing payload from => 384 bytes @ 0x1005e2b8
10[ENC] parsing rule 10 U_INT_16
10[ENC] verifying payload of type KEY_EXCHANGE
10[ENC] parsing payload from => 248 bytes @ 0x1005e340
10[ENC] parsing NONCE payload finished
10[ENC] NONCE payload verified. Adding to payload list
10[ENC] found payload of type SECURITY_ASSOCIATION
10[ENC] found payload of type KEY_EXCHANGE
10[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
10[ENC] added payload of type NONCE to message
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
10[ENC] generating rule 15 HEADER_LENGTH
10[ENC] generating HEADER payload finished
10[ENC] generating rule 9 PAYLOAD_LENGTH
10[ENC] generating rule 10 PROPOSALS
10[ENC] generating rule 2 PAYLOAD_LENGTH
10[ENC] generating rule 8 TRANSFORMS
10[ENC] generating rule 2 PAYLOAD_LENGTH
10[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
10[ENC] generating rule 2 PAYLOAD_LENGTH
10[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
10[ENC] generating rule 2 PAYLOAD_LENGTH
10[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
10[ENC] generating rule 2 PAYLOAD_LENGTH
10[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
10[ENC] generating rule 9 PAYLOAD_LENGTH
10[ENC] generating rule 11 RESERVED_BYTE
10[ENC] generating rule 12 RESERVED_BYTE
10[ENC] generating rule 13 KEY_EXCHANGE_DATA
10[ENC] generating rule 9 PAYLOAD_LENGTH
10[ENC] => => 16 bytes @ 0x100622b0
10[ENC] generating payload of type CERTIFICATE_REQUEST
10[ENC] generating rule 9 PAYLOAD_LENGTH
10[ENC] => => 20 bytes @ 0x100617e8
10[ENC] generated data of this generator => 253 bytes @ 0x10061b88
10[ENC] message generated successfully
04[ENC] parsing HEADER payload, 252 bytes left
04[ENC] parsing payload from => 252 bytes @ 0x10063128
04[ENC] parsing rule 10 FLAG
04[ENC] parsing rule 11 RESERVED_BIT
04[ENC] parsing rule 12 RESERVED_BIT
04[ENC] parsing rule 13 RESERVED_BIT
04[ENC] parsing rule 14 U_INT_32
11[ENC] parsing payload from => 224 bytes @ 0x10063144
11[ENC] parsing ENCRYPTED payload finished
11[ENC] ENCRYPTED payload verified. Adding to payload list
11[ENC] verify signature of encryption payload
11[ENC] decryption successful, trying to parse content
11[ENC] parsing payload from => 196 bytes @ 0x10061ae8
11[ENC] => => 16 bytes @ 0x100622b0
11[ENC] parsing AUTHENTICATION payload, 172 bytes left
11[ENC] parsing payload from => 172 bytes @ 0x10061b00
11[ENC] => => 20 bytes @ 0x10060bd0
11[ENC] parsing NOTIFY payload, 144 bytes left
11[ENC] parsing payload from => 144 bytes @ 0x10061b1c
11[ENC] parsing rule 11 SPI_SIZE
11[ENC] parsing rule 12 U_INT_16
11[ENC] parsing payload from => 136 bytes @ 0x10061b24
11[ENC] 36 bytes left, parsing recursively PROPOSAL_SUBSTRUCTURE
11[ENC] parsing payload from => 132 bytes @ 0x10061b28
11[ENC] parsing rule 1 RESERVED_BYTE
11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 120 bytes left
11[ENC] parsing payload from => 120 bytes @ 0x10061b34
11[ENC] parsing rule 1 RESERVED_BYTE
11[ENC] parsing rule 4 RESERVED_BYTE
11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 112 bytes left
11[ENC] parsing payload from => 112 bytes @ 0x10061b3c
11[ENC] parsing rule 1 RESERVED_BYTE
11[ENC] parsing rule 4 RESERVED_BYTE
11[ENC] 8 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 104 bytes left
11[ENC] parsing payload from => 104 bytes @ 0x10061b44
11[ENC] parsing rule 1 RESERVED_BYTE
11[ENC] parsing rule 4 RESERVED_BYTE
11[ENC] parsing PROPOSAL_SUBSTRUCTURE payload finished
11[ENC] 40 bytes left, parsing recursively TRAFFIC_SELECTOR_SUBSTRUCTURE
11[ENC] => => 16 bytes @ 0x10061e08
11[ENC] => => 16 bytes @ 0x10060670
11[ENC] parsing TRAFFIC_SELECTOR_SUBSTRUCTURE payload finished
11[ENC] 40 bytes left, parsing recursively TRAFFIC_SELECTOR_SUBSTRUCTURE
11[ENC] => => 16 bytes @ 0x1005e460
11[ENC] => => 16 bytes @ 0x10061c60
11[ENC] parsing TRAFFIC_SELECTOR_SUBSTRUCTURE payload finished
11[ENC] insert unencrypted payload of type SECURITY_ASSOCIATION at end of
list
11[ENC] process payload of type AUTHENTICATION
11[ENC] process payload of type NOTIFY
11[ENC] process payload of type TRAFFIC_SELECTOR_INITIATOR
11[ENC] process payload of type TRAFFIC_SELECTOR_RESPONDER
11[ENC] found payload of type ID_INITIATOR
11[ENC] found payload of type SECURITY_ASSOCIATION
11[AUD] authentication of '2001:db8:f:1::1' with pre-shared key failed
11[AUD] authentication of '2001:db8:f:1::1' with pre-shared key failed
11[ENC] generating rule 9 PAYLOAD_LENGTH
11[ENC] generating NOTIFY payload finished
11[ENC] data after encryption => 16 bytes @ 0x10061de8
11[ENC] data after encryption with IV and (invalid) signature => 36 bytes @
0x10063728
11[ENC] added payload of type ENCRYPTED to message
11[ENC] generating rule 15 HEADER_LENGTH
11[ENC] generating HEADER payload finished
11[ENC] generating rule 9 PAYLOAD_LENGTH
11[ENC] => => 36 bytes @ 0x10063728
11[ENC] building signature
11[ENC] message generated successfully
01[LIB] finalizing libcurl
Jamie Knight (rjknight at us.ibm.com)
IBM Power Firmware Development
(512) 286-7017 (t/l 386-7017)
office 045/2A-01
IBM Austin, TX
From: Tobias Brunner <tobias at strongswan.org>
To: Rashmi Narasimhan/Austin/IBM at IBMUS
Cc: Martin Willi <martin at strongswan.org>, Richard Knight/Austin/IBM at IBMUS, users at lists.strongswan.org
Date: 06/29/2010 01:04 PM
Subject: Re: [strongSwan] non-zero reserved fields in IKE_AUTH response.
> If we change the reserved fields to to zero for the same given test-case
> it works fine.
> Would it then be a parse issue?
It could be (the zeroed fields then not affecting the result). It would
really help if you could add "enc 3" to charondebug in ipsec.conf and
rerun the failing test. That would show us how exactly the ID payload
is parsed.
Regards,
Tobias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog.txt
Type: application/octet-stream
Size: 26517 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100629/41e77319/attachment.obj>
More information about the Users
mailing list