[strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

anand rao anandrao_me at yahoo.co.in
Wed Nov 17 12:22:39 CET 2010


Hi Andreas,

   I am running strongSwan 4.3.6 on both sides.
The output of ipsec --version on both hosts shows same version

root at OpenWrt:/# ipsec --version
Linux strongSwan U4.3.6/K2.6.33.5

output of ipsec listalgs

root at OpenWrt:/# ipsec listalgs
000
000 List of registered IKEv1 Algorithms:
000
000   encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC
000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
000   dh-group:   MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144 
MODP_8192 ECP_256 ECP_384 ECP_521 ECP_192 ECP_224
000
000 List of registered ESP Algorithms:
000
000   encryption: DES_CBC 3DES_CBC NULL AES_CBC AES_CCM_8 AES_CCM_12 AES_CCM_16 
AES_GCM_8 AES_GCM_12 AES_GCM_16
000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 NULL HMAC_SHA2_256_96

List of registered IKEv2 Algorithms:

  encryption: BLOWFISH_CBC AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC 
CAST_CBC DES_CBC DES_ECB NULL
  integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 
HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256
  hasher:     HASH_SHA1 HASH_MD2 HASH_MD4 HASH_MD5 HASH_SHA224 HASH_SHA256 
HASH_SHA384 HASH_SHA512
  prf:        PRF_AES128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 
PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512
  dh-group:   MODP_2048 MODP_1536 ECP_256 ECP_384 ECP_521 ECP_224 ECP_192 
MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768


output confirms that both sides are loaded with 3DES_CBC.

pre-shared secret configured  on both hosts is same. The same setup works for 
AES.

Same setup works perfectly for IKEv2 even for 3DES :(
I am facing issues only for IKEv1.

Thanks
-Anand



----- Original Message ----
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: anand rao <anandrao_me at yahoo.co.in>
Cc: users at lists.strongswan.org
Sent: Wed, November 17, 2010 4:24:59 PM
Subject: Re: [strongSwan] strongswan 4.3.6 IKEv1 not working for 3des-sha1

Hi Anand,

I doubt that you are running strongSwan 4.3.6 on both sides
because the peer sends some Vendor IDs which pluto does not
recognize ;-)

Pluto cannot decrypt the first encrypted IKE message. This
usually means that either the Pre-Shared Secrets configured
by each side are not equal (you write that you successfully tested
the same setup using AES, though) or the peer side does not
implement 3DES or the key derivation correctly.

Regards

Andreas

On 17.11.2010 10:25, anand rao wrote:
> Hi,
> 
>    I am trying to establish tunnel in transport mode between two hosts. I am 
> using strongswan 4.3.6 on both sides.
> when I use default configuration or AES algorithm, tunnel establishes 
> successfully.
> But if I use 3des algorithm (ike=3des-sha1-modp1536) I am getting following 
> errors.
> 
> 
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | *received 232 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> received Vendor ID payload [XAUTH]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> received Vendor ID payload [Dead Peer Detection]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [4a131c81070358455c5728f20e95452f]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: packet from 1.1.1.2:500: 
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | preparse_isakmp_policy: 
> peer requests PSK authentication
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | creating state object #1 
>at 
>
> 0x939c8
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_SO_DISCARD, timeout in 0 seconds for #1
> Nov 17 14:40:21 (none) authpriv.warn pluto[8536]: "example" #1: responding to 
> Main Mode
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_RETRANSMIT 
>
> in 10 seconds for #1
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | *received 244 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:21 (none) authpriv.debug pluto[8536]: | state object #1 found, in 

> STATE_MAIN_R1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_RETRANSMIT 
>
> in 10 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | *received 68 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object #1 found, in 

> STATE_MAIN_R2
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: Peer ID is 
> ID_IPV4_ADDR: '1.1.1.2'
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer CA:      %none
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | current connection is a 
> full match -- no need to look further
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | offered CA:   %none
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | inserting event 
> EVENT_SA_REPLACE, timeout in 3510 seconds for #1
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: sent MR3, 
>ISAKMP 
>
> SA established
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_SA_REPLACE 
>
> in 3510 seconds for #1
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | state object #1 found, in 

> STATE_MAIN_R3
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: next payload 
> type of ISAKMP Hash Payload has an unknown value: 54
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: malformed 
> payload in packet
> Nov 17 14:40:22 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification PAYLOAD_MALFORMED to 1.1.1.2:500
> Nov 17 14:40:22 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_SA_REPLACE 
>
> in 3510 seconds for #1
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | state object #1 found, in 

> STATE_MAIN_R3
> Nov 17 14:40:32 (none) authpriv.warn pluto[8536]: "example" #1: Quick Mode I1 
> message is unacceptable because it uses a previously used Message ID 0x7e1eb13a 
>
> (perhaps this is a duplicated packet)
> Nov 17 14:40:32 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification INVALID_MESSAGE_ID to 1.1.1.2:500
> Nov 17 14:40:32 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_SA_REPLACE 
>
> in 3500 seconds for #1
> Nov 17 14:40:38 (none) cron.warn crond[4854]: time disparity of 21500077 
>minutes 
>
> detected
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: |
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | *received 124 bytes from 
> 1.1.1.2:500 on eth0
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state object not found
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | ICOOKIE:  5c 2c bf f7  e4 

> 88 0e c3
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | RCOOKIE:  6b bb 02 cc  01 

> d1 98 03
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | peer:  01 01 01 02
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state hash entry 27
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | state object #1 found, in 

> STATE_MAIN_R3
> Nov 17 14:40:52 (none) authpriv.warn pluto[8536]: "example" #1: Quick Mode I1 
> message is unacceptable because it uses a previously used Message ID 0x7e1eb13a 
>
> (perhaps this is a duplicated packet)
> Nov 17 14:40:52 (none) authpriv.warn pluto[8536]: "example" #1: sending 
> encrypted notification INVALID_MESSAGE_ID to 1.1.1.2:500
> Nov 17 14:40:52 (none) authpriv.debug pluto[8536]: | next event 
>EVENT_SA_REPLACE 
>
> in 3480 seconds for #1
> 
>>From the log I couldn't able to understand anything. Please help.
> 
> Thanks
> -Anand

======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



      




More information about the Users mailing list