[strongSwan] Aggressive Mode. Rekeying fails
Gerald Richter - ECOS
richter at ecos.de
Fri Mar 8 15:01:23 CET 2013
Hi,
I have to dial in via IPsec Aggressive mode with PSK and XAUTH. I have no control over the other side, so I have to accept this setting. Everything works fine, until the first IKE rekeying happen, then I get “key derivation for XAuthRespPSK failed” (see log below). Any idea what could be wrong here?
Using strongswan 5.0.3dr2 + your latest ikev1 rekey patch and a Cisco ASA on the other side.
Regards
Gerald
Mar 8 13:19:41 ThinClient charon: 14[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Mar 8 13:19:41 ThinClient charon: 14[IKE] received Cisco Unity vendor ID
Mar 8 13:19:41 ThinClient charon: 14[IKE] received XAuth vendor ID
Mar 8 13:19:41 ThinClient charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 8 13:19:41 ThinClient charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 8 13:19:41 ThinClient charon: 14[IKE] received FRAGMENTATION vendor ID
Mar 8 13:19:41 ThinClient charon: 14[IKE] 1.2.3.4 is initiating a Aggressive Mode IKE_SA
Mar 8 13:19:41 ThinClient charon: 14[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Mar 8 13:19:41 ThinClient charon: 14[CFG] nm ike_state_change, ike_sa = (unnamed)[5] my sa = no, state = CONNECTING
Mar 8 13:19:41 ThinClient charon: 14[CFG] looking for XAuthRespPSK peer configs matching 192.168.192.93...1.2.3.4[1.2.3.4]
Mar 8 13:19:41 ThinClient charon: 14[CFG] selected peer config "vvph_aggr_mode"
Mar 8 13:19:41 ThinClient charon: 14[IKE] sending strongSwan vendor ID
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[IKE] sending XAuth vendor ID
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[IKE] sending DPD vendor ID
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type KEY_EXCHANGE_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[ENC] added payload of type NONCE_V1 to message
Mar 8 13:19:41 ThinClient charon: 14[IKE] shared Diffie Hellman secret => 128 bytes @ 0x43406e38
Mar 8 13:19:41 ThinClient charon: 14[IKE] 0: C2 92 20 85 75 B2 D9 57 E6 20 0F 1C 36 6A 3F 99 .. .u..W. ..6j?.
Mar 8 13:19:41 ThinClient charon: 14[IKE] 16: 46 E9 33 23 4E FD C8 36 E9 36 3A F9 D0 45 96 58 F.3#N..6.6:..E.X
Mar 8 13:19:41 ThinClient charon: 14[IKE] 32: 07 90 74 2A E7 87 DD 6F 9B B2 2D 46 92 11 B7 DD ..t*...o..-F....
Mar 8 13:19:41 ThinClient charon: 14[IKE] 48: 4A 37 E5 19 0D 4E 06 CE 7E 32 01 90 E4 1E 7F 66 J7...N..~2.....f
Mar 8 13:19:41 ThinClient charon: 14[IKE] 64: C2 6E 6C 98 47 AC EA BD 5A 68 AA D1 CB AB C1 95 .nl.G...Zh......
Mar 8 13:19:41 ThinClient charon: 14[IKE] 80: C0 D8 19 77 C4 CC 28 A4 1E F5 73 77 39 74 31 D8 ...w..(...sw9t1.
Mar 8 13:19:41 ThinClient charon: 14[IKE] 96: B9 6D 9F 46 D0 14 41 E5 AA 92 C5 40 0B 7D FD ED .m.F..A.... at .}..
Mar 8 13:19:41 ThinClient charon: 14[IKE] 112: E1 C1 51 9E C4 AD F1 51 9A D1 FC 20 DA FB B5 A9 ..Q....Q... ....
Mar 8 13:19:41 ThinClient charon: 14[IKE] key derivation for XAuthRespPSK failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130308/ecee2994/attachment.html>
More information about the Users
mailing list