[strongSwan] Aggressive Mode. Rekeying fails

Gerald Richter - ECOS richter at ecos.de
Fri Mar 8 15:01:23 CET 2013


Hi,

 
I have to dial in via IPsec Aggressive mode with PSK and XAUTH. I have no control over the other side, so I have to accept this setting. Everything works fine, until the first IKE rekeying happen, then I get “key derivation for XAuthRespPSK failed” (see log below). Any idea what could be wrong here?

 
Using strongswan 5.0.3dr2 + your latest ikev1 rekey patch  and a Cisco ASA on the other side.

 
Regards

 
Gerald

 
 
Mar  8 13:19:41 ThinClient charon: 14[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] 

Mar  8 13:19:41 ThinClient charon: 14[IKE] received Cisco Unity vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[IKE] received XAuth vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[IKE] received FRAGMENTATION vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[IKE] 1.2.3.4 is initiating a Aggressive Mode IKE_SA 

Mar  8 13:19:41 ThinClient charon: 14[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING 

Mar  8 13:19:41 ThinClient charon: 14[CFG] nm ike_state_change, ike_sa = (unnamed)[5] my sa = no, state = CONNECTING 

Mar  8 13:19:41 ThinClient charon: 14[CFG] looking for XAuthRespPSK peer configs matching 192.168.192.93...1.2.3.4[1.2.3.4] 

Mar  8 13:19:41 ThinClient charon: 14[CFG] selected peer config "vvph_aggr_mode" 

Mar  8 13:19:41 ThinClient charon: 14[IKE] sending strongSwan vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[IKE] sending XAuth vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[IKE] sending DPD vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-03 vendor ID 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type KEY_EXCHANGE_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[ENC] added payload of type NONCE_V1 to message 

Mar  8 13:19:41 ThinClient charon: 14[IKE] shared Diffie Hellman secret => 128 bytes @ 0x43406e38 

Mar  8 13:19:41 ThinClient charon: 14[IKE]    0: C2 92 20 85 75 B2 D9 57 E6 20 0F 1C 36 6A 3F 99  .. .u..W. ..6j?. 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   16: 46 E9 33 23 4E FD C8 36 E9 36 3A F9 D0 45 96 58  F.3#N..6.6:..E.X 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   32: 07 90 74 2A E7 87 DD 6F 9B B2 2D 46 92 11 B7 DD  ..t*...o..-F.... 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   48: 4A 37 E5 19 0D 4E 06 CE 7E 32 01 90 E4 1E 7F 66  J7...N..~2.....f 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   64: C2 6E 6C 98 47 AC EA BD 5A 68 AA D1 CB AB C1 95  .nl.G...Zh...... 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   80: C0 D8 19 77 C4 CC 28 A4 1E F5 73 77 39 74 31 D8  ...w..(...sw9t1. 

Mar  8 13:19:41 ThinClient charon: 14[IKE]   96: B9 6D 9F 46 D0 14 41 E5 AA 92 C5 40 0B 7D FD ED  .m.F..A.... at .}.. 

Mar  8 13:19:41 ThinClient charon: 14[IKE]  112: E1 C1 51 9E C4 AD F1 51 9A D1 FC 20 DA FB B5 A9  ..Q....Q... .... 

Mar  8 13:19:41 ThinClient charon: 14[IKE] key derivation for XAuthRespPSK failed

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130308/ecee2994/attachment.html>


More information about the Users mailing list