[strongSwan] strange problem with migrate a ikev1 psk from openswan to strongswan
Falk Hackenberger
strongswan at spam.huckley.de
Fri Apr 3 16:52:49 CEST 2015
Hi Andreas,
thanks for you time.
so here are the settings:
Our site is XXX.XXX.XXX.XXX customer is YYY.YYY.YYY.YYY.
conn customer
keyexchange=ikev1
ike=3des-sha1-modp1024
authby=secret
left=XXX.XXX.XXX.XXX
leftsubnet=XXX.XXX.XXX.XXX/32
right=YYY.YYY.YYY.YYY
compress=no
conn customer-product
also=customer
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/24
auto=add
I start the connection with ipsec up customer-product
Console output is:
initiating Main Mode IKE_SA customer-product[1] to YYY.YYY.YYY.YYY
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (212
bytes)
received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (100
bytes)
parsed ID_PROT response 0 [ SA V ]
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No ]
sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (196
bytes)
received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (184
bytes)
parsed ID_PROT response 0 [ KE No ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (68 bytes)
received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (68
bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA customer-product[1] established between
XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]...YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]
scheduling reauthentication in 10036s
maximum IKE_SA lifetime 10576s
generating QUICK_MODE request 1522800864 [ HASH SA No ID ID ]
sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (228
bytes)
received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (156
bytes)
parsed QUICK_MODE response 1522800864 [ HASH SA No ID ID ]
CHILD_SA customer-product{1} established with SPIs c6f12818_i 74a0d846_o
and TS XXX.XXX.XXX.XXX/32 === ZZZ.ZZZ.ZZZ.ZZZ/24
generating QUICK_MODE request 1522800864 [ HASH ]
connection 'customer-product' established successfully
ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
uptime: 40 seconds, since Apr 03 16:13:26 2015
malloc: sbrk 2568192, mmap 0, used 454352, free 2113840
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
XXX.XXX.XXX.XXX
Connections:
customer-product: XXX.XXX.XXX.XXX...YYY.YYY.YYY.YYY IKEv1
customer-product: local: [XXX.XXX.XXX.XXX] uses pre-shared key
authentication
customer-product: remote: [YYY.YYY.YYY.YYY] uses pre-shared key
authentication
customer-product: child: XXX.XXX.XXX.XXX/32 === ZZZ.ZZZ.ZZZ.ZZZ/24 TUNNEL
Security Associations (1 up, 0 connecting):
customer-product[1]: ESTABLISHED 30 seconds ago,
XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]...YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]
customer-product[1]: IKEv1 SPIs: c6c5bfd4d780fbbb_i* a91d9e0bc03c502a_r,
pre-shared key reauthentication in 2 hours
customer-product[1]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
customer-product{1}: INSTALLED, TUNNEL, ESP SPIs: c6f12818_i 74a0d846_o
customer-product{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 46 minutes
customer-product{1}: XXX.XXX.XXX.XXX/32 === ZZZ.ZZZ.ZZZ.ZZZ/24
ip -s xfrm state
src XXX.XXX.XXX.XXX dst YYY.YYY.YYY.YYY
proto esp spi 0x74a0d846(1956698182) reqid 1(0x00000001) mode
tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1)
0xd097e943d3f6e9d4a403ca620ecf75dc0310d258 (160 bits) 96
enc cbc(des3_ede)
0x8b6fe577bedb13c048ce4386231df275e06b0e423dd0a837 (192 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2816(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
180(bytes), 3(packets)
add 2015-04-03 16:13:36 use 2015-04-03 16:14:52
stats:
replay-window 0 replay 0 failed 0
src YYY.YYY.YYY.YYY dst XXX.XXX.XXX.XXX
proto esp spi 0xc6f12818(3337693208) reqid 1(0x00000001) mode
tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1)
0xc11fa8658ebcdef0c5baebccaaf79441897c7abf (160 bits) 96
enc cbc(des3_ede)
0x488890e5ee0b2fbcc827ceebce11e27b322c71e5b910e625 (192 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2952(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2015-04-03 16:13:36 use -
stats:
replay-window 0 replay 0 failed 0
ip xfrm policy
src ZZZ.ZZZ.ZZZ.ZZZ/24 dst XXX.XXX.XXX.XXX/32
dir fwd priority 2851 ptype main
tmpl src YYY.YYY.YYY.YYY dst XXX.XXX.XXX.XXX
proto esp reqid 1 mode tunnel
src ZZZ.ZZZ.ZZZ.ZZZ/24 dst XXX.XXX.XXX.XXX/32
dir in priority 2851 ptype main
tmpl src YYY.YYY.YYY.YYY dst XXX.XXX.XXX.XXX
proto esp reqid 1 mode tunnel
src XXX.XXX.XXX.XXX/32 dst ZZZ.ZZZ.ZZZ.ZZZ/24
dir out priority 2851 ptype main
tmpl src XXX.XXX.XXX.XXX dst YYY.YYY.YYY.YYY
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
the charon says in the syslog:
Apr 3 16:13:26 gw01 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
Apr 3 16:13:26 gw01 charon: 00[CFG] loaded IKE secret for
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
Apr 3 16:13:26 gw01 charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 3 16:13:26 gw01 charon: 00[LIB] loaded plugins: charon aes rc2 sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac
gcm attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip
error-notify certexpire led addrblock unity
Apr 3 16:13:26 gw01 charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)
Apr 3 16:13:26 gw01 charon: 00[LIB] dropped capabilities, running as
uid 0, gid 0
Apr 3 16:13:26 gw01 charon: 00[JOB] spawning 16 worker threads
Apr 3 16:13:26 gw01 charon: 02[NET] waiting for data on sockets
Apr 3 16:13:26 gw01 charon: 05[CFG] received stroke: add connection
'customer-product'
Apr 3 16:13:26 gw01 charon: 05[CFG] conn customer-product
Apr 3 16:13:26 gw01 charon: 05[CFG] left=XXX.XXX.XXX.XXX
Apr 3 16:13:26 gw01 charon: 05[CFG] leftsubnet=XXX.XXX.XXX.XXX/32
Apr 3 16:13:26 gw01 charon: 05[CFG] leftauth=psk
Apr 3 16:13:26 gw01 charon: 05[CFG] right=YYY.YYY.YYY.YYY
Apr 3 16:13:26 gw01 charon: 05[CFG] rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/24
Apr 3 16:13:26 gw01 charon: 05[CFG] rightauth=psk
Apr 3 16:13:26 gw01 charon: 05[CFG] ike=3des-sha1-modp1024
Apr 3 16:13:26 gw01 charon: 05[CFG] esp=aes128-sha1,3des-sha1
Apr 3 16:13:26 gw01 charon: 05[CFG] dpddelay=30
Apr 3 16:13:26 gw01 charon: 05[CFG] dpdtimeout=150
Apr 3 16:13:26 gw01 charon: 05[CFG] mediation=no
Apr 3 16:13:26 gw01 charon: 05[CFG] keyexchange=ikev1
Apr 3 16:13:26 gw01 charon: 05[CFG] added configuration 'customer-product'
Apr 3 16:13:26 gw01 ipsec[6631]: charon (6662) started after 40 ms
Apr 3 16:13:36 gw01 charon: 09[CFG] received stroke: initiate
'customer-product'
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing ISAKMP_VENDOR task
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing ISAKMP_CERT_PRE task
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing MAIN_MODE task
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing ISAKMP_CERT_POST task
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing ISAKMP_NATD task
Apr 3 16:13:36 gw01 charon: 11[IKE] queueing QUICK_MODE task
Apr 3 16:13:36 gw01 charon: 11[IKE] activating new tasks
Apr 3 16:13:36 gw01 charon: 11[IKE] activating ISAKMP_VENDOR task
Apr 3 16:13:36 gw01 charon: 11[IKE] activating ISAKMP_CERT_PRE task
Apr 3 16:13:36 gw01 charon: 11[IKE] activating MAIN_MODE task
Apr 3 16:13:36 gw01 charon: 11[IKE] activating ISAKMP_CERT_POST task
Apr 3 16:13:36 gw01 charon: 11[IKE] activating ISAKMP_NATD task
Apr 3 16:13:36 gw01 charon: 11[IKE] sending XAuth vendor ID
Apr 3 16:13:36 gw01 charon: 11[IKE] sending DPD vendor ID
Apr 3 16:13:36 gw01 charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
Apr 3 16:13:36 gw01 charon: 11[IKE] sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 3 16:13:36 gw01 charon: 11[IKE] initiating Main Mode IKE_SA
customer-product[1] to YYY.YYY.YYY.YYY
Apr 3 16:13:36 gw01 charon: 11[IKE] IKE_SA customer-product[1] state
change: CREATED => CONNECTING
Apr 3 16:13:36 gw01 charon: 11[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Apr 3 16:13:36 gw01 charon: 11[ENC] generating ID_PROT request 0 [ SA V
V V V ]
Apr 3 16:13:36 gw01 charon: 11[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (212 bytes)
Apr 3 16:13:36 gw01 charon: 03[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:13:36 gw01 ipsec[6631]: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
Apr 3 16:13:36 gw01 ipsec[6631]: 00[LIB] loaded plugins: charon aes rc2
sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
hmac gcm attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
eap-ttls eap-tnc xauth-generic xauth-eap tnc-tnccs dhcp lookip
error-notify certexpire led addrblock unity
Apr 3 16:13:36 gw01 charon: 02[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
Apr 3 16:13:36 gw01 charon: 02[NET] waiting for data on sockets
Apr 3 16:13:36 gw01 charon: 12[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (100 bytes)
Apr 3 16:13:36 gw01 charon: 12[ENC] parsed ID_PROT response 0 [ SA V ]
Apr 3 16:13:36 gw01 charon: 12[IKE] received FRAGMENTATION vendor ID
Apr 3 16:13:36 gw01 charon: 12[CFG] selecting proposal:
Apr 3 16:13:36 gw01 charon: 12[CFG] proposal matches
Apr 3 16:13:36 gw01 charon: 12[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 3 16:13:36 gw01 charon: 12[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Apr 3 16:13:36 gw01 charon: 12[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 3 16:13:36 gw01 charon: 12[IKE] reinitiating already active tasks
Apr 3 16:13:36 gw01 charon: 12[IKE] ISAKMP_VENDOR task
Apr 3 16:13:36 gw01 charon: 12[IKE] MAIN_MODE task
Apr 3 16:13:36 gw01 charon: 12[ENC] generating ID_PROT request 0 [ KE No ]
Apr 3 16:13:36 gw01 charon: 12[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (196 bytes)
Apr 3 16:13:36 gw01 charon: 03[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:13:36 gw01 charon: 02[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
Apr 3 16:13:36 gw01 charon: 02[NET] waiting for data on sockets
Apr 3 16:13:36 gw01 charon: 13[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (184 bytes)
Apr 3 16:13:36 gw01 charon: 13[ENC] parsed ID_PROT response 0 [ KE No ]
Apr 3 16:13:36 gw01 charon: 13[IKE] reinitiating already active tasks
Apr 3 16:13:36 gw01 charon: 13[IKE] ISAKMP_VENDOR task
Apr 3 16:13:36 gw01 charon: 13[IKE] MAIN_MODE task
Apr 3 16:13:36 gw01 charon: 13[ENC] generating ID_PROT request 0 [ ID
HASH ]
Apr 3 16:13:36 gw01 charon: 13[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (68 bytes)
Apr 3 16:13:36 gw01 charon: 03[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:13:36 gw01 charon: 02[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
Apr 3 16:13:36 gw01 charon: 02[NET] waiting for data on sockets
Apr 3 16:13:36 gw01 charon: 14[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (68 bytes)
Apr 3 16:13:36 gw01 charon: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
Apr 3 16:13:36 gw01 charon: 14[IKE] IKE_SA customer-product[1]
established between
XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX]...YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]
Apr 3 16:13:36 gw01 charon: 14[IKE] IKE_SA customer-product[1] state
change: CONNECTING => ESTABLISHED
Apr 3 16:13:36 gw01 charon: 14[IKE] scheduling reauthentication in 10036s
Apr 3 16:13:36 gw01 charon: 14[IKE] maximum IKE_SA lifetime 10576s
Apr 3 16:13:36 gw01 charon: 14[IKE] activating new tasks
Apr 3 16:13:36 gw01 charon: 14[IKE] activating QUICK_MODE task
Apr 3 16:13:36 gw01 charon: 14[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr 3 16:13:36 gw01 charon: 14[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr 3 16:13:36 gw01 charon: 14[CFG] proposing traffic selectors for us:
Apr 3 16:13:36 gw01 charon: 14[CFG] XXX.XXX.XXX.XXX/32
Apr 3 16:13:36 gw01 charon: 14[CFG] proposing traffic selectors for other:
Apr 3 16:13:36 gw01 charon: 14[CFG] ZZZ.ZZZ.ZZZ.ZZZ/24
Apr 3 16:13:36 gw01 charon: 14[ENC] generating QUICK_MODE request
1522800864 [ HASH SA No ID ID ]
Apr 3 16:13:36 gw01 charon: 14[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (228 bytes)
Apr 3 16:13:36 gw01 charon: 03[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:13:36 gw01 charon: 02[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
Apr 3 16:13:36 gw01 charon: 02[NET] waiting for data on sockets
Apr 3 16:13:36 gw01 charon: 15[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (156 bytes)
Apr 3 16:13:36 gw01 charon: 15[ENC] parsed QUICK_MODE response
1522800864 [ HASH SA No ID ID ]
Apr 3 16:13:36 gw01 charon: 15[CFG] selecting proposal:
Apr 3 16:13:36 gw01 charon: 15[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Apr 3 16:13:36 gw01 charon: 15[CFG] selecting proposal:
Apr 3 16:13:36 gw01 charon: 15[CFG] proposal matches
Apr 3 16:13:36 gw01 charon: 15[CFG] received proposals:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Apr 3 16:13:36 gw01 charon: 15[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr 3 16:13:36 gw01 charon: 15[CFG] selected proposal:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Apr 3 16:13:36 gw01 charon: 15[IKE] CHILD_SA customer-product{1}
established with SPIs c6f12818_i 74a0d846_o and TS XXX.XXX.XXX.XXX/32
=== ZZZ.ZZZ.ZZZ.ZZZ/24
Apr 3 16:13:36 gw01 charon: 15[IKE] reinitiating already active tasks
Apr 3 16:13:36 gw01 charon: 15[IKE] QUICK_MODE task
Apr 3 16:13:36 gw01 charon: 15[ENC] generating QUICK_MODE request
1522800864 [ HASH ]
Apr 3 16:13:36 gw01 charon: 15[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (60 bytes)
Apr 3 16:13:36 gw01 charon: 15[IKE] activating new tasks
Apr 3 16:13:36 gw01 charon: 15[IKE] nothing to initiate
Apr 3 16:13:36 gw01 charon: 03[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:14:06 gw01 charon: 08[CFG] proposing traffic selectors for us:
Apr 3 16:14:06 gw01 charon: 08[CFG] XXX.XXX.XXX.XXX/32
Apr 3 16:14:06 gw01 charon: 08[CFG] proposing traffic selectors for other:
Apr 3 16:14:06 gw01 charon: 08[CFG] ZZZ.ZZZ.ZZZ.ZZZ/24
Apr 3 16:13:04 gw01 charon: 15[ENC] generating QUICK_MODE request
3303339064 [ HASH SA No ID ID ]
Apr 3 16:13:04 gw01 charon: 15[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (228 bytes)
Apr 3 16:13:04 gw01 charon: 04[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
Apr 3 16:13:04 gw01 charon: 03[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
Apr 3 16:13:04 gw01 charon: 03[NET] waiting for data on sockets
Apr 3 16:13:04 gw01 charon: 06[NET] received packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (156 bytes)
Apr 3 16:13:04 gw01 charon: 06[ENC] parsed QUICK_MODE response
3303339064 [ HASH SA No ID ID ]
Apr 3 16:13:04 gw01 charon: 06[CFG] selecting proposal:
Apr 3 16:13:04 gw01 charon: 06[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Apr 3 16:13:04 gw01 charon: 06[CFG] selecting proposal:
Apr 3 16:13:04 gw01 charon: 06[CFG] proposal matches
Apr 3 16:13:04 gw01 charon: 06[CFG] received proposals:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Apr 3 16:13:04 gw01 charon: 06[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3D
ES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr 3 16:13:04 gw01 charon: 06[CFG] selected proposal:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Apr 3 16:13:04 gw01 charon: 06[IKE] CHILD_SA sparda-product{1}
established with SPIs cdc8c2ab_i c1d90dc6_o and TS XXX.XXX.XXX.XXX/32
=== ZZZ.ZZZ.ZZZ.ZZZ/24
Apr 3 16:13:04 gw01 charon: 06[IKE] reinitiating already active tasks
Apr 3 16:13:04 gw01 charon: 06[IKE] QUICK_MODE task
Apr 3 16:13:04 gw01 charon: 06[ENC] generating QUICK_MODE request
3303339064 [ HASH ]
Apr 3 16:13:04 gw01 charon: 06[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (60 bytes)
Apr 3 16:13:04 gw01 charon: 06[IKE] activating new tasks
Apr 3 16:13:04 gw01 charon: 06[IKE] nothing to initiate
Apr 3 16:13:04 gw01 charon: 04[NET] sending packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
tcpdump says:
16:13:36.466737 IP (tos 0x0, ttl 64, id 54300, offset 0, flags [DF],
proto UDP (17), length 240)
XXX.XXX.XXX.XXX.500 > YYY.YYY.YYY.YYY.500: [bad udp cksum 0xca29 ->
0xa815!] isakmp 1.0 msgid 00000000 cookie
bbfb80d7d4bfc5c6->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=3
(t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration value=2a30))
(t: #2 id=ike (type=enc value=aes)(type=keylen
value=0080)(type=hash value=md5)(type=group desc
value=modp2048)(type=auth value=preshared)(type=lifetype
value=sec)(type=lifeduration value=2a30))
(t: #3 id=ike (type=group desc value=modp2048)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration value=2a30))))
(vid: len=8)
(vid: len=16)
(vid: len=16)
(vid: len=16)
16:13:36.478876 IP (tos 0x0, ttl 51, id 8646, offset 0, flags [none],
proto UDP (17), length 128)
YYY.YYY.YYY.YYY.500 > XXX.XXX.XXX.XXX.500: [udp sum ok] isakmp 1.0
msgid 00000000 cookie bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration value=2a30))))
(vid: len=16)
16:13:36.487532 IP (tos 0x0, ttl 64, id 54301, offset 0, flags [DF],
proto UDP (17), length 224)
XXX.XXX.XXX.XXX.500 > YYY.YYY.YYY.YYY.500: [bad udp cksum 0xca19 ->
0x97fd!] isakmp 1.0 msgid 00000000 cookie
bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 1 I ident:
(ke: key len=128)
(nonce: n len=32
data=(cab990a383b7e07b4626...4b6e887c666f41920748af0cadbab6b3768c5da7))
16:13:36.499529 IP (tos 0x0, ttl 51, id 8647, offset 0, flags [none],
proto UDP (17), length 212)
YYY.YYY.YYY.YYY.500 > XXX.XXX.XXX.XXX.500: [udp sum ok] isakmp 1.0
msgid 00000000 cookie bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 1 R ident:
(ke: key len=128)
(nonce: n len=20 data=(a60154719d1f8909e489...a027d5a84bcc5b1eadf5))
16:13:36.501969 IP (tos 0x0, ttl 64, id 54305, offset 0, flags [DF],
proto UDP (17), length 96)
XXX.XXX.XXX.XXX.500 > YYY.YYY.YYY.YYY.500: [bad udp cksum 0xc999 ->
0xa117!] isakmp 1.0 msgid 00000000 cookie
bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 1 I ident[E]: [encrypted id]
16:13:36.515652 IP (tos 0x0, ttl 51, id 8648, offset 0, flags [none],
proto UDP (17), length 96)
YYY.YYY.YYY.YYY.500 > XXX.XXX.XXX.XXX.500: [udp sum ok] isakmp 1.0
msgid 00000000 cookie bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 1 R
ident[E]: [encrypted id]
16:13:36.517724 IP (tos 0x0, ttl 64, id 54309, offset 0, flags [DF],
proto UDP (17), length 256)
XXX.XXX.XXX.XXX.500 > YYY.YYY.YYY.YYY.500: [bad udp cksum 0xca39 ->
0xd1c1!] isakmp 1.0 msgid 5ac418e0 cookie
bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 2/others I oakley-quick[E]:
[encrypted hash]
16:13:36.529977 IP (tos 0x0, ttl 51, id 8649, offset 0, flags [none],
proto UDP (17), length 184)
YYY.YYY.YYY.YYY.500 > XXX.XXX.XXX.XXX.500: [udp sum ok] isakmp 1.0
msgid 5ac418e0 cookie bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 2/others
R oakley-quick[E]: [encrypted hash]
16:13:36.532081 IP (tos 0x0, ttl 64, id 54312, offset 0, flags [DF],
proto UDP (17), length 88)
XXX.XXX.XXX.XXX.500 > YYY.YYY.YYY.YYY.500: [bad udp cksum 0xc991 ->
0xaca0!] isakmp 1.0 msgid 5ac418e0 cookie
bbfb80d7d4bfc5c6->2a503cc00b9e1da9: phase 2/others I oakley-quick[E]:
[encrypted hash]
16:14:52.176960 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto
ESP (50), length 112)
XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x74a0d846,seq=0x1),
length 92
16:14:53.173827 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto
ESP (50), length 112)
XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x74a0d846,seq=0x2),
length 92
16:14:55.177745 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto
ESP (50), length 112)
XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x74a0d846,seq=0x3),
length 9
Am 03.04.2015 um 09:47 schrieb Andreas Steffen:
> without a logfile from the strongSwan side I cannot do any
> diagnosis.
>
> On 04/03/2015 12:21 AM, Falk Hackenberger wrote:
>> I have a very strange problem with a migration a ikev1 psk vpn from
>> openswan to strongswan
>> The old system have a Debian kernel 3.2.46-1+deb7u1~bpo60+1 with openswan
>> 2.6.28+dfsg-5+squeeze2.
>> Then new system is have a debian kernel 3.16.7-ckt7-1 (2015-03-01) with
>> strongswan 5.2.1-5.
>>
>> On the old system the vpn connection have no problems.
>> On the new system the ike exchange have no problem.
>> But I get no answer to the esp packets.
>> I knew that the esp packets arrive the other side which is a checkpoint.
>>
>> As the checkpoint is controlled by customer I cant debug there.
>> Any Idea what is the reason for that problem?
More information about the Users
mailing list