[strongSwan] Looking for clarification on charon handling new IKE_SA

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Wed Aug 8 08:08:45 CEST 2012


Hi All,
Please let us know if any one has thoughts about this problem.

Thanks,
Gowri Shankar

On Monday 30 July 2012 12:21 PM, Kumuda wrote:
> Hi,
>
> In our test setup, IKE initiator rekeys IKE_SA using CREATE_CHILD_SA 
> just before
> ike_lifetime expires and rekey request is successfully received by 
> responder node
> and response is sent back.
>
> Initiator has below configuration:
>
>     rekeymargin=20s
>     ikelifetime="60s"
>     keylife="300s"
>     reauth="no"
>
>
> Also, INFORMATIONAL exchange for DELETE payload by initiator and 
> responder is
> successfully completed at this time.
>
> Now, responder sends INFORMATIONAL request with Encrypted payload to
> verify new IKE SA session. Responder also makes sure that,  new SPIs 
> are used in
> this request. Here, we observe in charon.log (Initiator), below 
> failure message.
>
> Jul 26 01:26:45 12[ENC] parsing ENCRYPTED payload finished
> Jul 26 01:26:45 12[ENC] verifying payload of type ENCRYPTED
> Jul 26 01:26:45 12[ENC] ENCRYPTED payload verified. Adding to payload 
> list
> Jul 26 01:26:45 12[ENC] ENCRYPTED payload found. Stop parsing
> Jul 26 01:26:45 12[ENC] process payload of type ENCRYPTED
> Jul 26 01:26:45 12[ENC] found an encryption payload
> Jul 26 01:26:45 12[ENC] encryption payload decryption:
>
> Jul 26 01:26:45 12[ENC]    0: DD 1A BC AA D5 54 FB 
> E0                          .....T..
> Jul 26 01:26:45 12[ENC] encrypted => 20 bytes @ 0x7f7b3c000bf8
> Jul 26 01:26:45 12[ENC]    0: D0 6D 64 EE F6 1D AA 1E D8 FA CD D5 2D 
> FF DF 74  .md.........-..t
> Jul 26 01:26:45 12[ENC]   16: 10 D5 1C 
> 93                                      ....
> Jul 26 01:26:45 12[ENC] ICV => 12 bytes @ 0x7f7b3c000c00
> Jul 26 01:26:45 12[ENC]    0: D8 FA CD D5 2D FF DF 74 10 D5 1C 
> 93              ....-..t....
> Jul 26 01:26:45 12[ENC] assoc => 32 bytes @ 0x7f7b3c000c70
> Jul 26 01:26:45 12[ENC]    0: A4 27 73 19 9E F2 69 56 E5 F6 D2 48 C2 
> E9 CD 9E  .'s...iV...H....
> Jul 26 01:26:45 12[ENC]   16: 2E 20 25 00 00 00 00 00 00 00 00 3C 00 
> 00 00 20  . %........<...
> Jul 26 01:26:45 12[LIB] MAC verification failed
> Jul 26 01:26:45 12[ENC] verifying encryption payload integrity failed
> Jul 26 01:26:45 12[ENC] could not decrypt payloads
> Jul 26 01:26:45 12[IKE] integrity check failed
> Jul 26 01:26:45 12[IKE] INFORMATIONAL request with message ID 0 
> processing failed
> Jul 26 01:26:45 12[MGR] checkin IKE_SA tahi_ikev2_test[2]
> Jul 26 01:26:45 12[MGR] check-in of IKE_SA successful.
> Jul 26 01:26:45 09[NET] waiting for data on raw sockets
>
> What could have gone wrong with the INFORMATIONAL request sent from 
> responder?
> Please provide some pointers for the above failure.
>
> Thanks and Regards,
> Kumuda G
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120808/0faf5f71/attachment.html>


More information about the Users mailing list