[strongSwan] failing to decrypt esp
Chad Winckler
cwinckler at westell.com
Wed Mar 6 16:55:53 CET 2013
In case this shows you anything interesting, here is the strongswan
output from bringing up the connection on the DUT:
# ipsec up rw
initiating IKE_SA rw[3] to 192.168.1.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.208[500] to 192.168.1.3[500] (708 bytes)
received packet: from 192.168.1.3[500] to 192.168.1.208[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ
N(MULT_AUTH) ]
received cert request for "C=US, ST=Illinois, L=Aurora, O=Westell,
OU=Edge, CN=Chad"
sending cert request for "C=US, O=T-Mobile USA, Inc., CN=T-Mobile USA,
Inc.
Engineering and Operations CA"
sending cert request for "C=US, ST=Illinois, L=Aurora, O=Westell
Technologies
Inc., CN=www.westell.com, E=global_support at westell.com"
sending cert request for "C=US, ST=Illinois, L=Aurora, O=Westell,
OU=Edge,
CN=Chad"
authentication of '192.168.1.208' (myself) with pre-shared key
establishing CHILD_SA rw
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi
TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.208[4500] to 192.168.1.3[4500]
(476 bytes)
received packet: from 192.168.1.3[4500] to 192.168.1.208[4500]
(236 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP)
N(ADD_4_ADDR) ]
authentication of '192.168.1.3' with pre-shared key successful
IKE_SA rw[3] established between
192.168.1.208[192.168.1.208]...192.168.1.3[192.168.1.3]
scheduling reauthentication in 10258s
maximum IKE_SA lifetime 10798s
CHILD_SA rw{2} established with SPIs c57682c2_i c5319e18_o and
TS 192.168.2.0/24 === 192.168.1.3/32
received AUTH_LIFETIME of 9941s, scheduling reauthentication in
9401s
peer supports MOBIKE
#
#
#
# ip -s xfrm state
src 192.168.1.208 dst 192.168.1.3
proto esp spi 0xc5319e18(3308363288) reqid 2(0x00000002)
mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
enc cbc(aes) 0xeee6c5a4c28d4ee8c6b98afb623d99e6 (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2726(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2000-01-01 05:08:08 use -
stats:
replay-window 0 replay 0 failed 0
src 192.168.1.3 dst 192.168.1.208
proto esp spi 0xc57682c2(3312878274) reqid 2(0x00000002)
mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
enc cbc(aes) 0x729b243a6c19708bf825a2554d75c760 (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3013(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2000-01-01 05:08:08 use -
stats:
replay-window 0 replay 0 failed 0
src 10.1.2.3 dst 10.2.3.4
proto esp spi 0x000014e5(5349) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0x0102030405060708091011121314151617181920
(160
bits) 96
enc cbc(aes) 0x01020304050607080910111213141516 (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2000-01-01 05:01:23 use -
stats:
replay-window 0 replay 0 failed 0
-Chad
More information about the Users
mailing list