[strongSwan] IPsec between Cisco CSR and Strongswan - Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2

Martin Willi martin at strongswan.org
Tue Apr 14 16:05:32 CEST 2015 

Hi,

> The issue that I'm facing is that SA on Strongswan side is up but stuck in
> "IN-NEG” status on Cisco side (Response is outside of window received 0x1,
> expect 0x2 <= mess_id < 0x2).

> 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
[...]
> 16[IKE] IKE_SA csr-swan[1] established between 10.10.100.2[C=US, CN=ne.lab.local]...172.20.100.1[CN=router.lab.local, unstructuredName=router.lab.local]
> 16[IKE] scheduling reauthentication in 86151s
> 16[IKE] maximum IKE_SA lifetime 86331s
> 16[IKE] sending end entity cert "C=US, CN=ne.lab.local"
> 16[IKE] CHILD_SA csr-swan{1} established with SPIs cb262567_i 4d68c4bb_o and TS 10.10.100.2/32[gre] === 172.20.100.1/32[gre] 
> 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
> 16[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)

>From the strongSwan perspective this IKE_SA establishes just fine.

> 05[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)
> 05[ENC] unknown attribute type (28692)
> 05[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
> 05[IKE] received retransmit of request with ID 1, retransmitting response

But Cisco keeps retransmitting the IKE_AUTH request, for which
strongSwan keeps resending the response.

> Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0] 
> Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1
> IKEv2 IKE_AUTH Exchange RESPONSE 
> Payload contents: 
>  IDr CERT AUTH SA TSi TSr NOTIFY(Unknown - 16403)
> 
> Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
> Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

The Cisco side receives the IKE_AUTH response, but nonetheless sends a
retransmit for its IKE_AUTH request, but then complains that the message
ID has not advanced.

> Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0] 
> Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1
> IKEv2 IKE_AUTH Exchange REQUEST 
> Payload contents: 
>  ENCR
> 
> Apr 14 13:46:20.667: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2

I don't see anything wrong on the strongSwan side, the sequence numbers
look correct. Not sure why the CSR does not accept that response but
retransmits the request.

The "Process auth response notify" for our AUTH_LIFETIME notification
could be some indication, seems that Cisco doesn't know that:
"NOTIFY(Unknown - 16403)". But it should just ignore it if it doesn't
understand that notify.

Regards
Martin

More information about the Users mailing list