[strongSwan] IPsec between Cisco CSR and Strongswan - Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2

Alexey Lapkis loshala at gmail.com
Tue Apr 14 16:24:51 CEST 2015


​Hi Martin,

Thank you for the quick response.​ That's good news that from strongSwan
perspective this IKE_SA looks fine.
Will focus on Cisco side then.

Alexey

On 14 April 2015 at 17:05, Martin Willi <martin at strongswan.org> wrote:

> Hi,
>
> > The issue that I'm facing is that SA on Strongswan side is up but stuck
> in
> > "IN-NEG” status on Cisco side (Response is outside of window received
> 0x1,
> > expect 0x2 <= mess_id < 0x2).
>
> > 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
> [...]
> > 16[IKE] IKE_SA csr-swan[1] established between 10.10.100.2[C=US,
> CN=ne.lab.local]...172.20.100.1[CN=router.lab.local,
> unstructuredName=router.lab.local]
> > 16[IKE] scheduling reauthentication in 86151s
> > 16[IKE] maximum IKE_SA lifetime 86331s
> > 16[IKE] sending end entity cert "C=US, CN=ne.lab.local"
> > 16[IKE] CHILD_SA csr-swan{1} established with SPIs cb262567_i 4d68c4bb_o
> and TS 10.10.100.2/32[gre] === 172.20.100.1/32[gre]
> > 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr
> N(AUTH_LFT) ]
> > 16[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324
> bytes)
>
> From the strongSwan perspective this IKE_SA establishes just fine.
>
> > 05[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500]
> (1724 bytes)
> > 05[ENC] unknown attribute type (28692)
> > 05[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ ... ]
> > 05[IKE] received retransmit of request with ID 1, retransmitting response
>
> But Cisco keeps retransmitting the IKE_AUTH request, for which
> strongSwan keeps resending the response.
>
> > Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet
> [From 10.10.100.2:500/To 172.20.100.1:500/VRF i0:f0]
> > Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3
> Message id: 1
> > IKEv2 IKE_AUTH Exchange RESPONSE
> > Payload contents:
> >  IDr CERT AUTH SA TSi TSr NOTIFY(Unknown - 16403)
> >
> > Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth
> response notify
> > Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting
> packet
>
> The Cisco side receives the IKE_AUTH response, but nonetheless sends a
> retransmit for its IKE_AUTH request, but then complains that the message
> ID has not advanced.
>
> > Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To
> 10.10.100.2:500/From 172.20.100.1:500/VRF i0:f0]
> > Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3
> Message id: 1
> > IKEv2 IKE_AUTH Exchange REQUEST
> > Payload contents:
> >  ENCR
> >
> > Apr 14 13:46:20.667: IKEv2:(SESSION ID = 1,SA ID = 1):Response is
> outside of window received 0x1, expect 0x2 <= mess_id < 0x2
>
> I don't see anything wrong on the strongSwan side, the sequence numbers
> look correct. Not sure why the CSR does not accept that response but
> retransmits the request.
>
> The "Process auth response notify" for our AUTH_LIFETIME notification
> could be some indication, seems that Cisco doesn't know that:
> "NOTIFY(Unknown - 16403)". But it should just ignore it if it doesn't
> understand that notify.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150414/8a54c1a8/attachment.html>


More information about the Users mailing list