[strongSwan] Looking for clarification on charon handling new IKE_SA

Kumuda kumuda at linux.vnet.ibm.com
Mon Jul 30 08:51:12 CEST 2012


Hi,

In our test setup, IKE initiator rekeys IKE_SA using CREATE_CHILD_SA 
just before
ike_lifetime expires and rekey request is successfully received by 
responder node
and response is sent back.

Initiator has below configuration:

    rekeymargin=20s
    ikelifetime="60s"
    keylife="300s"
    reauth="no"


Also, INFORMATIONAL exchange for DELETE payload by initiator and 
responder is
successfully completed at this time.

Now, responder sends INFORMATIONAL request with Encrypted payload to
verify new IKE SA session. Responder also makes sure that,  new SPIs are 
used in
this request. Here, we observe in charon.log (Initiator), below failure 
message.

Jul 26 01:26:45 12[ENC] parsing ENCRYPTED payload finished
Jul 26 01:26:45 12[ENC] verifying payload of type ENCRYPTED
Jul 26 01:26:45 12[ENC] ENCRYPTED payload verified. Adding to payload list
Jul 26 01:26:45 12[ENC] ENCRYPTED payload found. Stop parsing
Jul 26 01:26:45 12[ENC] process payload of type ENCRYPTED
Jul 26 01:26:45 12[ENC] found an encryption payload
Jul 26 01:26:45 12[ENC] encryption payload decryption:

Jul 26 01:26:45 12[ENC]    0: DD 1A BC AA D5 54 FB 
E0                          .....T..
Jul 26 01:26:45 12[ENC] encrypted => 20 bytes @ 0x7f7b3c000bf8
Jul 26 01:26:45 12[ENC]    0: D0 6D 64 EE F6 1D AA 1E D8 FA CD D5 2D FF 
DF 74  .md.........-..t
Jul 26 01:26:45 12[ENC]   16: 10 D5 1C 
93                                      ....
Jul 26 01:26:45 12[ENC] ICV => 12 bytes @ 0x7f7b3c000c00
Jul 26 01:26:45 12[ENC]    0: D8 FA CD D5 2D FF DF 74 10 D5 1C 
93              ....-..t....
Jul 26 01:26:45 12[ENC] assoc => 32 bytes @ 0x7f7b3c000c70
Jul 26 01:26:45 12[ENC]    0: A4 27 73 19 9E F2 69 56 E5 F6 D2 48 C2 E9 
CD 9E  .'s...iV...H....
Jul 26 01:26:45 12[ENC]   16: 2E 20 25 00 00 00 00 00 00 00 00 3C 00 00 
00 20  . %........<...
Jul 26 01:26:45 12[LIB] MAC verification failed
Jul 26 01:26:45 12[ENC] verifying encryption payload integrity failed
Jul 26 01:26:45 12[ENC] could not decrypt payloads
Jul 26 01:26:45 12[IKE] integrity check failed
Jul 26 01:26:45 12[IKE] INFORMATIONAL request with message ID 0 
processing failed
Jul 26 01:26:45 12[MGR] checkin IKE_SA tahi_ikev2_test[2]
Jul 26 01:26:45 12[MGR] check-in of IKE_SA successful.
Jul 26 01:26:45 09[NET] waiting for data on raw sockets

What could have gone wrong with the INFORMATIONAL request sent from 
responder?
Please provide some pointers for the above failure.

Thanks and Regards,
Kumuda G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120730/54a6d980/attachment.html>


More information about the Users mailing list