[strongSwan] DPD [lack of] interoperability between strongswan and Cisco IOS

Olivier PELERIN olivier_pelerin at hotmail.com
Wed Jun 19 10:26:34 CEST 2013 

Martin,

For what ever reason on my old system, it seems after installing the library, something bad was happening.

I've tested your GIT branch from my new vmware host. It works properly. I can see DPD's received on the IOS Cisco device. 

It's good to be committed I think.

manowar strongswan # ipsec up R101-ikev1
initiating Main Mode IKE_SA R101-ikev1[2] to 10.1.1.254
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (192 bytes)
received packet: from 10.1.1.254[500] to 10.1.1.1[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (244 bytes)
received packet: from 10.1.1.254[500] to 10.1.1.1[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: fc:bb:31:89:d6:54:16:b0:5c:cf:b8:c9:55:42:38:bd
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (76 bytes)
received packet: from 10.1.1.254[500] to 10.1.1.1[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA R101-ikev1[2] established between 10.1.1.1[10.1.1.1]...10.1.1.254[10.1.1.254]
scheduling reauthentication in 10076s
maximum IKE_SA lifetime 10616s
generating QUICK_MODE request 2448790584 [ HASH SA No ID ID ]
sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (204 bytes)
received packet: from 10.1.1.254[500] to 10.1.1.1[500] (204 bytes)
parsed QUICK_MODE response 2448790584 [ HASH SA No ID ID N((24576)) ]
CHILD_SA R101-ikev1{3} established with SPIs cded583e_i 3a72ee0e_o and TS 10.10.11.0/24 === 10.10.10.0/24 
generating QUICK_MODE request 2448790584 [ HASH ]
sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (60 bytes)
connection 'R101-ikev1' established successfully


Output from /var/log/messages for your UNIT-TEST

Jun 19 09:53:56 manowar charon: 10[IKE] sending DPD request
Jun 19 09:53:56 manowar charon: 10[IKE] queueing ISAKMP_DPD task
Jun 19 09:53:56 manowar charon: 10[IKE] activating new tasks
Jun 19 09:53:56 manowar charon: 10[IKE]   activating ISAKMP_DPD task
Jun 19 09:53:56 manowar charon: 10[IKE] Hash => 20 bytes @ 0x7fb7800009a0
Jun 19 09:53:56 manowar charon: 10[IKE]    0: D8 4B 3E 35 51 7D 74 7A C7 8E DC D2 89 19 4D 6B  .K>5Q}tz......Mk
Jun 19 09:53:56 manowar charon: 10[IKE]   16: 5C 95 69 3F                                      \.i?
Jun 19 09:53:56 manowar charon: 10[ENC] generating INFORMATIONAL_V1 request 2586766443 [ HASH N(DPD) ]
Jun 19 09:53:56 manowar charon: 10[IKE] next IV for MID 2586766443 => 16 bytes @ 0x7fb7800009a0
Jun 19 09:53:56 manowar charon: 10[IKE]    0: 0C 08 1E AF 4E 9C 3A C3 09 0A BE 33 E2 EC 22 6F  ....N.:....3.."o
Jun 19 09:53:56 manowar charon: 10[IKE] next IV for MID 2586766443 => 16 bytes @ 0x7fb780004a20
Jun 19 09:53:56 manowar charon: 10[IKE]    0: 26 E6 AB 33 E9 13 3B 37 DA 48 92 46 93 10 20 7F  &..3..;7.H.F.. .
Jun 19 09:53:56 manowar charon: 10[NET] sending packet: from 10.1.1.1[500] to 10.1.1.254[500] (92 bytes)
Jun 19 09:53:56 manowar charon: 10[IKE] activating new tasks
Jun 19 09:53:56 manowar charon: 10[IKE] nothing to initiate
Jun 19 09:53:56 manowar charon: 11[NET] received packet: from 10.1.1.254[500] to 10.1.1.1[500] (92 bytes)
Jun 19 09:53:56 manowar charon: 11[IKE] next IV for MID 3347599516 => 16 bytes @ 0x7fb774001df0
Jun 19 09:53:56 manowar charon: 11[IKE]    0: D1 92 1B A9 B2 4C 1F 0A BF DE 32 E7 CA CE 9C B7  .....L....2.....
Jun 19 09:53:56 manowar charon: 11[ENC] parsed INFORMATIONAL_V1 request 3347599516 [ HASH N(DPD_ACK) ]
Jun 19 09:53:56 manowar charon: 11[IKE] Hash => 20 bytes @ 0x7fb774001230
Jun 19 09:53:56 manowar charon: 11[IKE]    0: 85 45 C2 67 08 86 9C FB CA 31 E6 A6 E8 B1 DC 23  .E.g.....1.....#
Jun 19 09:53:56 manowar charon: 11[IKE]   16: 26 12 46 1A                                      &.F.
Jun 19 09:53:56 manowar charon: 11[IKE] next IV for MID 3347599516 => 16 bytes @ 0x7fb774000b10
Jun 19 09:53:56 manowar charon: 11[IKE]    0: 7A 70 C3 50 21 C0 08 ED 9C 04 D1 3E 0C 53 6C 52  zp.P!......>.SlR
Jun 19 09:53:56 manowar charon: 11[IKE] activating new tasks
Jun 19 09:53:56 manowar charon: 11[IKE] nothing to initiate

Regards

Olivier
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130619/a2050fec/attachment.html>

More information about the Users mailing list