[strongSwan] our client ID returned doesn't match my proposal

Pavel Kopchyk pkopchyk at gmail.com
Wed Apr 3 09:38:18 CEST 2013


Hi all,

I use strongSwan 5 as IPsec VPN server (IPsec + L2TP) and 4.4.0 or
4.6.4 as client:

When trying connect to the server I get the error - our client ID
returned doesn't match my proposal.
But Windows 7 and Mac OS clients connect without problems.

How I can fix this?

Server config:
config setup
        uniqueids=no

conn %default
	keyexchange=ikev1
	keyingtries=3
	rekey=no
	compress=no
	left=11.22.33.44

conn rw-cert
	type=transport
	authby=rsasig
	auth=esp
	leftid="O=strongSwan, CN=test.example.org, E=ca at test.org"
	leftrsasigkey=%cert
	leftcert=test_cert.pem
	leftprotoport=17/1701
	left=11.22.33.44
	right=%any
	rightca=%same
	rightrsasigkey=%cert
	rightprotoport=17/%any
	auto=add
===

Client:
config setup
	plutodebug=none
	uniqueids=no
	strictcrlpolicy=no
	nat_traversal=yes
	charonstart=no
	plutostart=yes

conn %default
	auth=esp
	keyexchange=ikev1
	keyingtries=3
	rekey=yes
	compress=no
	left=%defaultroute
	leftnexthop=%defaultroute
	leftprotoport=17/1701
	rightprotoport=17/1701

conn RW
	type=transport
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev1
	pfs=no
	left=%defaultroute
	leftcert=client1.pem
	leftid="O=strongSwan, CN=client1, E=ca at test.org"
	right=rw-gw2.asstra.pl
	rightid="O=strongSwan, CN=test.example.org, E=ca at test.org"
	auto=start
===

Client - strongSwan 4.4.0 and 4.6.4:

pluto[23285]: "RW" #7: initiating Main Mode
pluto[23285]: "RW" #7: received Vendor ID payload [XAUTH]
pluto[23285]: "RW" #7: received Vendor ID payload [Dead Peer Detection]
pluto[23285]: "RW" #7: received Vendor ID payload [RFC 3947]
pluto[23285]: "RW" #7: enabling possible NAT-traversal with method 3
pluto[23285]: "RW" #7: NAT-Traversal: Result using RFC 3947: i am NATed
pluto[23285]: "RW" #7: we have a cert and are sending it upon request
pluto[23285]: "RW" #7: Peer ID is ID_FQDN: 'test.example.org'
pluto[23285]: "RW" #7: crl not found
pluto[23285]: "RW" #7: certificate status unknown
pluto[23285]: "RW" #7: ISAKMP SA established
pluto[23285]: "RW" #8: initiating Quick Mode PUBKEY+ENCRYPT+PFS+UP
{using isakmp#7}
pluto[23285]: "RW" #8: our client ID returned doesn't match my proposal
pluto[23285]: "RW" #8: sending encrypted notification
INVALID_ID_INFORMATION to 11.22.33.44:4500
pluto[23285]: "RW" #7: ignoring informational payload, type
INVALID_HASH_INFORMATION
pluto[23285]: "RW": terminating SAs using this connection

Server 5.0.3rc1 log - client strongSwan 4.6.4:

charon: 16[NET] received packet: from 88.77.66.55[500] to
11.22.33.44[500] (288 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V ]
charon: 16[IKE] received strongSwan vendor ID
charon: 16[IKE] received Cisco Unity vendor ID
charon: 16[IKE] received XAuth vendor ID
charon: 16[IKE] received DPD vendor ID
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 16[IKE] 88.77.66.55 is initiating a Main Mode IKE_SA
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from 11.22.33.44[500] to
88.77.66.55[500] (136 bytes)
charon: 12[NET] received packet: from 88.77.66.55[500] to
11.22.33.44[500] (356 bytes)
charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 12[IKE] remote host is behind NAT
charon: 12[IKE] sending cert request for "O=strongSwan, CN=strongSwan
CA, E=ca at test.org"
charon: 12[IKE] sending cert request for "C=PL, O=Asstra AG, CN=Asstra VPN CA"
charon: 12[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ
NAT-D NAT-D ]
charon: 12[NET] sending packet: from 11.22.33.44[500] to
88.77.66.55[500] (526 bytes)
charon: 08[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (1484 bytes)
charon: 08[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG ]
charon: 08[IKE] ignoring certificate request without data
charon: 08[IKE] received end entity cert "O=strongSwan, CN=client1,
E=ca at test.org"
charon: 08[CFG] looking for RSA signature peer configs matching
11.22.33.44...88.77.66.55[O=strongSwan, CN=client1, E=ca at test.org]
charon: 08[CFG] selected peer config "rw-cert"
charon: 08[CFG]   using certificate "O=strongSwan, CN=client1, E=ca at test.org"
charon: 08[CFG]   using trusted ca certificate "O=strongSwan,
CN=strongSwan CA, E=ca at test.org"
charon: 08[CFG] checking certificate status of "O=strongSwan,
CN=client1, E=ca at test.org"
charon: 08[CFG] certificate status is not available
charon: 08[CFG]   reached self-signed root ca with a path length of 0
charon: 08[IKE] authentication of 'O=strongSwan, CN=client1,
E=ca at test.org' with RSA successful
charon: 08[IKE] authentication of 'test.example.org' (myself) successful
charon: 08[IKE] IKE_SA rw-cert[2] established between
11.22.33.44[test.example.org]...88.77.66.55[O=strongSwan, CN=client1,
E=ca at test.org]
charon: 08[IKE] sending end entity cert "C=PL, ST=Poland, L=Warsaw,
O=Asstra AG, CN=test.example.org, E=ca at asstra.by"
charon: 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
charon: 08[NET] sending packet: from 11.22.33.44[4500] to
88.77.66.55[4500] (1420 bytes)
charon: 09[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (460 bytes)
charon: 09[ENC] parsed QUICK_MODE request 3402596381 [ HASH SA No KE
ID ID NAT-OA ]
charon: 09[IKE] received 1200s lifetime, configured 0s
charon: 09[ENC] generating QUICK_MODE response 3402596381 [ HASH SA No
KE ID ID NAT-OA NAT-OA ]
charon: 09[NET] sending packet: from 11.22.33.44[4500] to
88.77.66.55[4500] (460 bytes)
charon: 10[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (76 bytes)
charon: 10[ENC] parsed INFORMATIONAL_V1 request 3411852570 [ HASH N(INVAL_ID) ]
charon: 10[IKE] received INVALID_ID_INFORMATION error notify
charon: 15[IKE] sending DPD request
charon: 15[ENC] generating INFORMATIONAL_V1 request 2884054616 [ HASH N(DPD) ]
charon: 15[NET] sending packet: from 11.22.33.44[4500] to
88.77.66.55[4500] (92 bytes)
charon: 07[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (92 bytes)
charon: 07[ENC] parsed INFORMATIONAL_V1 request 1180077473 [ HASH N(DPD_ACK) ]
charon: 07[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (460 bytes)
charon: 07[ENC] parsed QUICK_MODE request 3402596381 [ HASH SA No KE
ID ID NAT-OA ]
charon: 07[ENC] received HASH payload does not match
charon: 07[IKE] integrity check failed
charon: 07[ENC] generating INFORMATIONAL_V1 request 2511305358 [ HASH
N(INVAL_HASH) ]
charon: 07[NET] sending packet: from 11.22.33.44[4500] to
88.77.66.55[4500] (76 bytes)
charon: 07[IKE] QUICK_MODE request with message ID 3402596381 processing failed
charon: 12[NET] received packet: from 88.77.66.55[4500] to
11.22.33.44[4500] (92 bytes)
charon: 12[ENC] parsed INFORMATIONAL_V1 request 1473394328 [ HASH D ]
charon: 12[IKE] received DELETE for IKE_SA rw-cert[2]
charon: 12[IKE] deleting IKE_SA rw-cert[2] between
11.22.33.44[test.example.org]...88.77.66.55[O=strongSwan, CN=client1,
E=ca at test.org]


Server 5.0.3rc1 log - client Windows 7:

charon: 14[NET] received packet: from 55.11.22.33[500] to
11.22.33.44[500] (384 bytes)
charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
charon: 14[ENC] received unknown vendor ID:
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 14[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
charon: 14[ENC] received unknown vendor ID:
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
charon: 14[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
charon: 14[ENC] received unknown vendor ID:
e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
charon: 14[IKE] 55.11.22.33 is initiating a Main Mode IKE_SA
charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 14[NET] sending packet: from 11.22.33.44[500] to
55.11.22.33[500] (136 bytes)
charon: 10[NET] received packet: from 55.11.22.33[500] to
11.22.33.44[500] (388 bytes)
charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 10[IKE] remote host is behind NAT
charon: 10[IKE] sending cert request for "O=strongSwan, CN=strongSwan
CA, E=ca at test.org"
charon: 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ
NAT-D NAT-D ]
charon: 10[NET] sending packet: from 11.22.33.44[500] to
55.11.22.33[500] (526 bytes)
charon: 12[NET] received packet: from 55.11.22.33[4500] to
11.22.33.44[4500] (1564 bytes)
charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ ]
charon: 12[IKE] received cert request for 'O=strongSwan, CN=strongSwan
CA, E=ca at test.org'
charon: 12[IKE] received end entity cert "O=strongSwan, CN=client2,
E=ca at test.org"
charon: 12[CFG] looking for RSA signature peer configs matching
11.22.33.44...55.11.22.33[O=strongSwan, CN=client2, E=ca at test.org]
charon: 12[CFG] selected peer config "rw-cert"
charon: 12[CFG]   using certificate "O=strongSwan, CN=client2, E=ca at test.org"
charon: 12[CFG]   using trusted ca certificate "O=strongSwan,
CN=strongSwan CA, E=ca at test.org"
charon: 12[CFG] checking certificate status of "O=strongSwan,
CN=client2, E=ca at test.org"
charon: 12[CFG] certificate status is not available
charon: 12[CFG]   reached self-signed root ca with a path length of 0
charon: 12[IKE] authentication of 'O=strongSwan, CN=client2,
E=ca at test.org' with RSA successful
charon: 12[IKE] authentication of 'O=strongSwan, CN=test.example.org,
E=ca at test.org' (myself) successful
charon: 12[IKE] IKE_SA rw-cert[2] established between
11.22.33.44[O=strongSwan, CN=test.example.org,
E=ca at test.org]...55.11.22.33[O=strongSwan, CN=client2, E=ca at test.org]
charon: 12[IKE] DPD not supported by peer, disabled
charon: 12[IKE] sending end entity cert "O=strongSwan,
CN=test.example.org, E=ca at test.org"
charon: 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
charon: 12[NET] sending packet: from 11.22.33.44[4500] to
55.11.22.33[4500] (1532 bytes)
charon: 16[NET] received packet: from 55.11.22.33[4500] to
11.22.33.44[4500] (380 bytes)
charon: 16[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
charon: 16[IKE] received 3600s lifetime, configured 0s
charon: 16[IKE] received 250000000 lifebytes, configured 0
charon: 16[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID
NAT-OA NAT-OA ]
charon: 16[NET] sending packet: from 11.22.33.44[4500] to
55.11.22.33[4500] (204 bytes)
charon: 15[NET] received packet: from 55.11.22.33[4500] to
11.22.33.44[4500] (60 bytes)
charon: 15[ENC] parsed QUICK_MODE request 1 [ HASH ]
charon: 15[IKE] CHILD_SA rw-cert{2} established with SPIs cf23fee2_i
9d35dbc4_o and TS 11.22.33.44/32[udp/l2tp] ===
55.11.22.33/32[udp/l2tp]

Regards
Pavel




More information about the Users mailing list