[strongSwan] IPsec between Cisco CSR and Strongswan - Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
Alexey Lapkis
loshala at gmail.com
Tue Apr 14 15:32:21 CEST 2015
Hi All,
I'm trying to setup a cert based IPsec tunnel between Cisco CSR 03.13.01.S
and Strongswan U5.2.1/K3.5.0-17-generic using IKEv2.
The issue that I'm facing is that SA on Strongswan side is up but stuck in
"IN-NEG” status on Cisco side (Response is outside of window received 0x1,
expect 0x2 <= mess_id < 0x2).
On Cisco side, I’m using SCEP for cert enrollment from LabCA server in the
lab. On Strongswan side, I used private key from LabCA in order to sign a
csr and generate a certificate for Strongswan.
Cisco configuration:
======================
!
crypto pki trustpoint LabCA
enrollment retry count 12
enrollment retry period 5
enrollment url http://172.24.176.42:80
usage ike
fqdn router.lab.local
subject-name CN=router.lab.local
vrf MGMT
revocation-check none
rsakeypair LabCA
auto-enroll 90 regenerate
!
!
crypto pki certificate map CSR_SWAN 10
subject-name co ne.lab.local
!
crypto pki certificate chain LabCA
certificate 09
3082032A <omitted output>
quit
certificate ca 01
3082031A <omitted output>
quit
!
crypto ikev2 proposal CSR_SWAN
encryption aes-cbc-128
integrity sha1
group 5
!
crypto ikev2 policy CSR_SWAN
proposal CSR_SWAN
!
!
crypto ikev2 profile CSR_SWAN
match certificate CSR_SWAN
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint LabCA
!
!
crypto ipsec transform-set CSR_SWAN esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile CSR_SWAN
set transform-set CSR_SWAN
set ikev2-profile CSR_SWAN
!
!
interface Tunnel101
description ### OUTER TUNNEL ###
ip address 169.254.100.1 255.255.255.0
tunnel source GigabitEthernet2
tunnel destination 10.10.100.2
tunnel key 100
tunnel protection ipsec profile CSR_SWAN
!
Strongswan configuration:
==========================
ca myCert
cacert=LabCA.crt
auto=add
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn csr-swan
auto=add
authby=pubkey
left=10.10.100.2
leftsourceip=10.10.100.2
leftid="C=US, CN=ne.lab.local"
leftrsasigkey=%cert
leftcert=ne.crt
leftsendcert=always
right=172.20.100.1
rightid="CN=router.lab.local, unstructuredName=router.lab.local"
ike=aes128-sha1-modp1536
esp=aes128-sha1
keyexchange=ikev2
Cisco status:
==============
CSR-LAB-SITE-01#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf
Status
1 172.20.100.1/500 10.10.100.2/500 none/none
IN-NEG
Encr: AES-CBC, keysize: 128, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth
sign: RSA, Auth verify: RSA
Life/Active Time: 86400/0 sec
CE id: 1108, Session-id: 0
Status Description: Initiator waiting for AUTH response
Local spi: 4E88D7FCDF82752D Remote spi: 8DBED65029709452
Local id: hostname=router.lab.local,cn=router.lab.local
Remote id: cn=ne.lab.local,c=US
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
CSR-LAB-SITE-01#
Strongswan status:
===================
root at SWAN-01:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.5.0-17-generic,
x86_64):
uptime: 5 minutes, since Apr 14 16:03:30 2015
malloc: sbrk 544768, mmap 0, used 408096, free 136672
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
198.18.92.225
10.10.100.2
192.168.13.1
192.168.14.1
169.254.100.2
Connections:
csr-swan: 10.10.100.2...172.20.100.1 IKEv2
csr-swan: local: [C=US, CN=ne.lab.local] uses public key
authentication
csr-swan: cert: "C=US, CN=ne.lab.local"
csr-swan: remote: [CN=router.lab.local,
unstructuredName=router.lab.local] uses public key authentication
csr-swan: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
csr-swan[2]: ESTABLISHED 119 seconds ago, 10.10.100.2[C=US,
CN=ne.lab.local]...172.20.100.1[CN=router.lab.local,
unstructuredName=router.lab.local]
csr-swan[2]: IKEv2 SPIs: 2d7582dffcd7884e_i 5294702950d6be8d_r*, public
key reauthentication in 23 hours
csr-swan[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
csr-swan{2}: INSTALLED, TUNNEL, ESP SPIs: c439a8dc_i cd654165_o
csr-swan{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 52 minutes
csr-swan{2}: 10.10.100.2/32[gre] <http://10.10.100.2/32%5Bgre%5D> ===
172.20.100.1/32[gre] <http://172.20.100.1/32%5Bgre%5D>
root at SWAN-01:~#
root at SWAN-01:~# ipsec listall
List of CA Information Sections:
authname: "CN=US_LAB.lab.local"
authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc
keyid: ed:31:0f:9f:5b:90:cc:da:61:21:43:db:5d:19:77:72:ff:64:9d:b6
List of X.509 End Entity Certificates:
subject: "CN=router.lab.local, unstructuredName=router.lab.local"
issuer: "CN=US_LAB.lab.local"
serial: 09
validity: not before Apr 13 17:20:49 2015, ok
not after Jul 22 17:20:49 2015, ok
pubkey: RSA 2048 bits
keyid: 3d:76:88:6a:21:04:7a:ee:08:58:06:da:91:8a:59:ad:36:d5:c6:98
subjkey: 34:28:a2:6e:e1:93:2e:7c:9e:d1:bb:80:c5:6b:ca:65:8c:50:22:f2
authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc
subject: "C=US, CN=ne.lab.local"
issuer: "CN=US_LAB.lab.local"
serial: 10:00
validity: not before Apr 13 15:40:55 2015, ok
not after Apr 12 15:40:55 2016, ok
pubkey: RSA 2048 bits, has private key
keyid: e8:ca:6d:c5:de:b0:68:a3:20:1a:28:8a:07:21:1a:63:f0:db:0c:27
subjkey: c9:a3:33:74:7d:3a:33:00:e8:c2:ce:00:04:21:7b:a8:10:79:1f:4b
authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc
List of X.509 CA Certificates:
subject: "CN=US_LAB.lab.local"
issuer: "CN=US_LAB.lab.local"
serial: 01
validity: not before Apr 12 13:45:35 2015, ok
not after Apr 12 13:45:35 2035, ok
pubkey: RSA 2048 bits
keyid: ed:31:0f:9f:5b:90:cc:da:61:21:43:db:5d:19:77:72:ff:64:9d:b6
subjkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc
authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc
Cisco debug:
===========
==
Apr 14 13:46:20.282: IPSEC:(SESSION ID = 1) (key_engine) request timer
fired: count = 4,
(identity) local= 172.20.100.1:0, remote= 10.10.100.2:0,
local_proxy= 172.20.100.1/255.255.255.255/47/0,
remote_proxy= 10.10.100.2/255.255.255.255/47/0
Apr 14 13:46:20.282: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.20.100.1:500, remote= 10.10.100.2:500,
local_proxy= 172.20.100.1/255.255.255.255/47/0,
remote_proxy= 10.10.100.2/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Apr 14 13:46:20.282: IKEv2:Searching Policy with fvrf 0, local address
172.20.100.1
Apr 14 13:46:20.282: IKEv2:Found Policy 'CSR_SWAN'
Apr 14 13:46:20.282: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to
establish an IPsec tunnel; local traffic selector = Address Range:
172.20.100.1-172.20.100.1 Protocol: 47 Port Range: 0-65535 ; remote traffic
selector = Address Range: 10.10.100.2-10.10.100.2 Protocol: 47 Port Range:
0-65535
Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Apr 14 13:46:20.282: CRYPTO_PKI: (A003A) Session started - identity not
specified
Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI
Session PASSED
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto
Engine] Computing DH public key, DH Group 5
Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key
Computation PASSED
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for
computation of DH key
Apr 14 13:46:20.282: IKEv2:IKEv2 initiator - no config data to send in
IKE_SA_INIT exch
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Generating
IKE_SA_INIT message
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI
size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 0000000000000000 Message
id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From
10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(Unknown - 16404)
Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Processing
IKE_SA_INIT message
Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Processing
IKE_SA_INIT message
Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving
trustpoint(s) from received certificate hash(es)
Apr 14 13:46:20.291: CRYPTO_PKI: Trust-Point LabCA picked up
Apr 14 13:46:20.291: CRYPTO_PKI: 1 matching trustpoints found
Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'LabCA'
Apr 14 13:46:20.291: CRYPTO_PKI: locked trustpoint LabCA, refcount is 1
Apr 14 13:46:20.291: CRYPTO_PKI: Identity bound (LabCA) for session A003A
Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain
for the trustpoint LabCA
Apr 14 13:46:20.292: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain
for the trustpoint PASSED
Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto
Engine] Computing DH secret key, DH Group 5
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key
Computation PASSED
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for
computation of DH secret
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate
SKEYSEED and create rekeyed IKEv2 SA
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED
calculation and creation of rekeyed IKEv2 SA PASSED
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init
exchange
Apr 14 13:46:20.300: IKEv2:Config data to send:
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Config-type:
Config-request
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Attrib type:
app-version, length: 251, data: Cisco IOS Software, CSR1000V Software
(X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 31-Oct-14 17:32 by mcpre
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Have config mode data
to send
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my
authentication data
Apr 14 13:46:20.300: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2
authentication data
Apr 14 13:46:20.300: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication
data generation PASSED
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication
method
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication
method is 'RSA'
Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Sign authentication
data
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private
key PASSED
Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign
authentication data
Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of
authenticaiton data PASSED
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Authentication
material has been sucessfully signed
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH
message
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi
payload: 'hostname=router.lab.local,cn=router.lab.local' of type 'DER ASN1
DN'
Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured
trustpoint(s)
Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'LabCA'
Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes
of trustpoints
Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key
Hashes of trustpoints PASSED
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI
size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for
encryption.
Payload contents:
VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi
TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE)
NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From
10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
IDr CERT AUTH SA TSi TSr NOTIFY(Unknown - 16403)
Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response
notify
Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet
Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 14 13:46:20.667: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside
of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window
Apr 14 13:46:20.669: IKEv2:Couldn't find matching SA: Received an IKE msg
id outside supported window
Apr 14 13:46:20.669: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Apr 14 13:46:20.669: IKEv2:: A supplied parameter is incorrect
Apr 14 13:46:22.381: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet
Apr 14 13:46:22.381: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 14 13:46:22.384: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside
of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window
Apr 14 13:46:22.386: IKEv2:Couldn't find matching SA: Received an IKE msg
id outside supported window
Apr 14 13:46:22.386: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Apr 14 13:46:22.386: IKEv2:: A supplied parameter is incorrect
Apr 14 13:46:26.213: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet
Apr 14 13:46:26.213: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 14 13:46:26.215: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside
of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window
Apr 14 13:46:26.216: IKEv2:Couldn't find matching SA: Received an IKE msg
id outside supported window
Apr 14 13:46:26.216: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message
id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Apr 14 13:46:26.216: IKEv2:: A supplied parameter is incorrect
Strongswan log:
===============
=
Apr 14 16:03:30 SWAN-01 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.5.0-17-generic, x86_64)
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded ca certificate
"CN=US_LAB.lab.local" from '/usr/local/etc/ipsec.d/cacerts/LabCA.crt'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for 10.10.100.2
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for 172.20.100.1
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for %any
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/ne.key'
Apr 14 16:03:30 SWAN-01 charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Apr 14 16:03:30 SWAN-01 charon: 00[LIB] loaded plugins: charon aes des rc2
sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown xauth-generic
Apr 14 16:03:30 SWAN-01 charon: 00[LIB] unable to load 7 plugin features (7
due to unmet dependencies)
Apr 14 16:03:30 SWAN-01 charon: 00[JOB] spawning 16 worker threads
Apr 14 16:03:30 SWAN-01 charon: 11[CFG] received stroke: add ca 'myCert'
Apr 14 16:03:30 SWAN-01 charon: 11[CFG] loaded ca certificate
"CN=US_LAB.lab.local" from 'LabCA.crt'
Apr 14 16:03:30 SWAN-01 charon: 11[CFG] added ca 'myCert'
Apr 14 16:03:30 SWAN-01 charon: 13[CFG] received stroke: add connection
'csr-swan'
Apr 14 16:03:30 SWAN-01 charon: 13[CFG] loaded certificate "C=US,
CN=ne.lab.local" from 'ne.crt'
Apr 14 16:03:30 SWAN-01 charon: 13[CFG] added configuration 'csr-swan'
Apr 14 16:04:03 SWAN-01 charon: 15[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (400 bytes)
Apr 14 16:04:03 SWAN-01 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
Apr 14 16:04:03 SWAN-01 charon: 15[IKE] received Cisco Delete Reason vendor
ID
Apr 14 16:04:03 SWAN-01 charon: 15[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
Apr 14 16:04:03 SWAN-01 charon: 15[IKE] 172.20.100.1 is initiating an IKE_SA
Apr 14 16:04:03 SWAN-01 charon: 15[IKE] sending cert request for
"CN=US_LAB.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 15[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 14 16:04:03 SWAN-01 charon: 15[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (401 bytes)
Apr 14 16:04:03 SWAN-01 charon: 16[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:03 SWAN-01 charon: 16[ENC] unknown attribute type (28692)
Apr 14 16:04:03 SWAN-01 charon: 16[ENC] parsed IKE_AUTH request 1 [ V IDi
CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6
SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr
N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] cert payload ANY not supported -
ignored
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] received end entity cert
"CN=router.lab.local, unstructuredName=router.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] looking for peer configs matching
10.10.100.2[%any]...172.20.100.1[CN=router.lab.local,
unstructuredName=router.lab.local]
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] selected peer config 'csr-swan'
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] using certificate
"CN=router.lab.local, unstructuredName=router.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] using trusted ca certificate
"CN=US_LAB.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] checking certificate status of
"CN=router.lab.local, unstructuredName=router.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] certificate status is not available
Apr 14 16:04:03 SWAN-01 charon: 16[CFG] reached self-signed root ca with
a path length of 0
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] authentication of
'CN=router.lab.local, unstructuredName=router.lab.local' with RSA signature
successful
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] authentication of 'C=US,
CN=ne.lab.local' (myself) with RSA signature successful
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] IKE_SA csr-swan[1] established
between 10.10.100.2[C=US,
CN=ne.lab.local]...172.20.100.1[CN=router.lab.local,
unstructuredName=router.lab.local]
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] scheduling reauthentication in
86151s
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] maximum IKE_SA lifetime 86331s
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] sending end entity cert "C=US,
CN=ne.lab.local"
Apr 14 16:04:03 SWAN-01 charon: 16[IKE] CHILD_SA csr-swan{1} established
with SPIs cb262567_i 4d68c4bb_o and TS 10.10.100.2/32[gre]
<http://10.10.100.2/32%5Bgre%5D> === 172.20.100.1/32[gre]
<http://172.20.100.1/32%5Bgre%5D>
Apr 14 16:04:03 SWAN-01 charon: 16[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Apr 14 16:04:03 SWAN-01 charon: 16[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Apr 14 16:04:03 SWAN-01 charon: 05[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:03 SWAN-01 charon: 05[ENC] unknown attribute type (28692)
Apr 14 16:04:03 SWAN-01 charon: 05[ENC] parsed IKE_AUTH request 1 [ V IDi
CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6
SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr
N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 14 16:04:03 SWAN-01 charon: 05[IKE] received retransmit of request with
ID 1, retransmitting response
Apr 14 16:04:03 SWAN-01 charon: 05[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Apr 14 16:04:05 SWAN-01 charon: 04[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:05 SWAN-01 charon: 04[ENC] unknown attribute type (28692)
Apr 14 16:04:05 SWAN-01 charon: 04[ENC] parsed IKE_AUTH request 1 [ V IDi
CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6
SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr
N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 14 16:04:05 SWAN-01 charon: 04[IKE] received retransmit of request with
ID 1, retransmitting response
Apr 14 16:04:05 SWAN-01 charon: 04[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Apr 14 16:04:09 SWAN-01 charon: 03[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:09 SWAN-01 charon: 03[ENC] unknown attribute type (28692)
Apr 14 16:04:09 SWAN-01 charon: 03[ENC] parsed IKE_AUTH request 1 [ V IDi
CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6
SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr
N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 14 16:04:09 SWAN-01 charon: 03[IKE] received retransmit of request with
ID 1, retransmitting response
Apr 14 16:04:09 SWAN-01 charon: 03[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Apr 14 16:04:16 SWAN-01 charon: 02[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:16 SWAN-01 charon: 02[ENC] unknown attribute type (28692)
Apr 14 16:04:16 SWAN-01 charon: 02[ENC] parsed IKE_AU
TH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS
NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM)
SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N)
N(NON_FIRST_FRAG) ]
Apr 14 16:04:16 SWAN-01 charon: 02[IKE] received retransmit of request with
ID 1, retransmitting response
Apr 14 16:04:16 SWAN-01 charon: 02[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Apr 14 16:04:31 SWAN-01 charon: 01[NET] received packet: from
172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
Apr 14 16:04:31 SWAN-01 charon: 01[ENC] unknown attribute type (28692)
Apr 14 16:04:31 SWAN-01 charon: 01[ENC] parsed IKE_AUTH request 1 [ V IDi
CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6
SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr
N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 14 16:04:31 SWAN-01 charon: 01[IKE] received retransmit of request with
ID 1, retransmitting response
Apr 14 16:04:31 SWAN-01 charon: 01[NET] sending packet: from
10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)
Any help is greatly appreciated.
Thanks!
Alexey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150414/ad42ba16/attachment-0001.html>
More information about the Users
mailing list