[strongSwan] received retransmit of response with ID 0, but next request already sent

Axel Zöllich a.zoellich at kirsch.zoellich.de
Wed Oct 22 14:19:56 CEST 2014 

Am Mittwoch, 22. Oktober 2014, 13:48:05 schrieb Thomas Egerer:

> Any chance you can provide the log information of the peer?
No :(


> Judging from your config, you are using public key
> authentication. Do you see the certificates being transmitted?
Yes, i do:

No.     Time           Source                Destination           Protocol 
Length Info
      3 0.052498000    80.152.262.292        217.86.257.203        ISAKMP   
416    Identity Protection (Main Mode)

Frame 3: 416 bytes on wire (3328 bits), 416 bytes captured (3328 bits) on 
interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 80.152.262.292 (80.152.262.292), Dst: 
217.86.257.203 (217.86.257.203)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
    Initiator cookie: 9d06bd6bae9ad45c
    Responder cookie: 73695db401fe7cea
    Next payload: Key Exchange (4)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 372
    Type Payload: Key Exchange (4)
        Next payload: Nonce (10)
        Payload length: 260
        Key Exchange Data: d3d522b856aa1ee569d25bf02328f02d6ccb5283969ffaaa...
    Type Payload: Nonce (10)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 36
        Nonce DATA: 3bc91716609986b745d0ce01df3932ba8e4f10c3ce10fa0b...
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 24
        HASH of the address and port: 0cbcd7180e0f5f6e3ae2e13eb5d2c86d30056834
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NONE / No Next Payload  (0)
        Payload length: 24
        HASH of the address and port: a064a1d3fdb21b35cb188ba9deb6bde71771f635

        
No.     Time           Source                Destination           Protocol 
Length Info
      4 0.302433000    217.86.257.203        80.152.262.292        ISAKMP   
400    Identity Protection (Main Mode)

Frame 4: 400 bytes on wire (3200 bits), 400 bytes captured (3200 bits) on 
interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 217.86.257.203 (217.86.257.203), Dst: 
80.152.262.292 (80.152.262.292)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
    Initiator cookie: 9d06bd6bae9ad45c
    Responder cookie: 73695db401fe7cea
    Next payload: Key Exchange (4)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 356
    Type Payload: Key Exchange (4)
        Next payload: Nonce (10)
        Payload length: 260
        Key Exchange Data: d48d1078cea3354ff836d0d1d9c3cac8312102dfd0534399...
    Type Payload: Nonce (10)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 20
        Nonce DATA: e24e05e1cfc7c34282a2b3bc4104e657
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 24
        HASH of the address and port: a064a1d3fdb21b35cb188ba9deb6bde71771f635
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NONE / No Next Payload  (0)
        Payload length: 24
        HASH of the address and port: 0cbcd7180e0f5f6e3ae2e13eb5d2c86d30056834

       
No.     Time           Source                Destination           Protocol 
Length Info
      5 0.313490000    80.152.262.292        217.86.157.103        ISAKMP   
112    Identity Protection (Main Mode)

Frame 5: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) on 
interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 80.152.262.292 (80.152.262.292), Dst: 
217.86.157.103 (217.86.157.103)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
    Initiator cookie: 9d06bd6bae9ad45c
    Responder cookie: 73695db401fe7cea
    Next payload: Identification (5)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x01
    Message ID: 0x00000000
    Length: 68
    Encrypted Data (40 bytes)
    

No.     Time           Source                Destination           Protocol 
Length Info
      8 3.351721000    217.86.257.203        80.152.262.292        ISAKMP   
400    Identity Protection (Main Mode)

Frame 8: 400 bytes on wire (3200 bits), 400 bytes captured (3200 bits) on 
interface 0
Linux cooked capture
Internet Protocol Version 4, Src: 217.86.157.103 (217.86.157.103), Dst: 
80.152.262.292 (80.152.262.292)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
    Initiator cookie: 9d06bd6bae9ad45c
    Responder cookie: 73695db401fe7cea
    Next payload: Key Exchange (4)
    Version: 1.0
    Exchange type: Identity Protection (Main Mode) (2)
    Flags: 0x00
    Message ID: 0x00000000
    Length: 356
    Type Payload: Key Exchange (4)
        Next payload: Nonce (10)
        Payload length: 260
        Key Exchange Data: d48d1078cea3354ff836d0d1d9c3cac8312102dfd0534399...
    Type Payload: Nonce (10)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 20
        Nonce DATA: e24e05e1cfc7c34282a2b3bc4104e657
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NAT-D (RFC 3947) (20)
        Payload length: 24
        HASH of the address and port: a064a1d3fdb21b35cb188ba9deb6bde71771f635
    Type Payload: NAT-D (RFC 3947) (20)
        Next payload: NONE / No Next Payload  (0)
        Payload length: 24
        HASH of the address and port: 0cbcd7180e0f5f6e3ae2e13eb5d2c86d30056834

> Because this looks very much like an authentication gone wrong.
> I've seen similar behavior before, the peer was an IKEv2 node
> however.

It looks like 217.86.257.203 doesn't answer No. 5 but resends No. 4 after 3 
seconds.

More information about the Users mailing list