[strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

Andreas Steffen andreas.steffen at strongswan.org
Wed Nov 17 11:54:59 CET 2010


Hi Anand,

I doubt that you are running strongSwan 4.3.6 on both sides
because the peer sends some Vendor IDs which pluto does not
recognize ;-)

Pluto cannot decrypt the first encrypted IKE message. This
usually means that either the Pre-Shared Secrets configured
by each side are not equal (you write that you successfully tested
the same setup using AES, though) or the peer side does not
implement 3DES or the key derivation correctly.

Regards

Andreas

On 17.11.2010 10:25, anand rao wrote:
> Hi,
> 
>    I am trying to establish tunnel in transport mode between two hosts. I am 
> using strongswan 4.3.6 on both sides.
> when I use default configuration or AES algorithm, tunnel establishes 
> successfully.
> But if I use 3des algorithm (ike=3des-sha1-modp1536) I am getting following 
> errors.
> 
> 
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | *received 232 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> received Vendor ID payload [XAUTH]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> received Vendor ID payload [Dead Peer Detection]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [4a131c81070358455c5728f20e95452f]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | preparse_isakmp_policy: 
> peer requests PSK authentication
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | creating state object #1 at 
> 0x939c8
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_SO_DISCARD, timeout in 0 seconds for #1
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: "example" #1: responding to 
> Main Mode
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | next event EVENT_RETRANSMIT 
> in 10 seconds for #1
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | *received 244 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state object #1 found, in 
> STATE_MAIN_R1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event EVENT_RETRANSMIT 
> in 10 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | *received 68 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object #1 found, in 
> STATE_MAIN_R2
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: Peer ID is 
> ID_IPV4_ADDR: '1.1.1.2'
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer CA:      %none
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | current connection is a 
> full match -- no need to look further
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | offered CA:   %none
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_SA_REPLACE, timeout in 3510 seconds for #1
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: sent MR3, ISAKMP 
> SA established
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event EVENT_SA_REPLACE 
> in 3510 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object #1 found, in 
> STATE_MAIN_R3
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: next payload 
> type of ISAKMP Hash Payload has an unknown value: 54
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: malformed 
> payload in packet
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification PAYLOAD_MALFORMED to 1.1.1.2:500
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event EVENT_SA_REPLACE 
> in 3510 seconds for #1
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state object #1 found, in 
> STATE_MAIN_R3
> Nov 17 14:40:32 (none) authpriv.warn pluto[8536]: "example" #1: Quick Mode I1 
> message is unacceptable because it uses a previously used Message ID 0x7e1eb13a 
> (perhaps this is a duplicated packet)
> Nov 17 14:40:32 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification INVALID_MESSAGE_ID to 1.1.1.2:500
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | next event EVENT_SA_REPLACE 
> in 3500 seconds for #1
> Nov 17 14:40:38 (none) cron.warn crond[4854]: time disparity of 21500077 minutes 
> detected
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 
> 88 0e c3
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 
> d1 98 03
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state object #1 found, in 
> STATE_MAIN_R3
> Nov 17 14:40:52 (none) authpriv.warn pluto[8536]: "example" #1: Quick Mode I1 
> message is unacceptable because it uses a previously used Message ID 0x7e1eb13a 
> (perhaps this is a duplicated packet)
> Nov 17 14:40:52 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification INVALID_MESSAGE_ID to 1.1.1.2:500
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | next event EVENT_SA_REPLACE 
> in 3480 seconds for #1
> 
>>From the log I couldn't able to understand anything. Please help.
> 
> Thanks
> -Anand

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list