[strongSwan] got the error "Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0 port=0, the peer sent"
Tom Hu
pleasetalktome at gmail.com
Thu Jul 16 05:23:33 CEST 2015
hi all
I used strongswan as GW and cisco vpn as client (not anyconnect) on Windows
7 to test interoperbility using RSA authentication
After entered username/password on client xauth, getting the error"Unable
to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0 port=0,
the peer sent" from cisco client
The config of GW
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=5
mobike=no
keyexchange=ike
#dpdaction=clear
#dpddelay=2s
include /etc/ipsec.cert.conf
# cat ipsec.cert.conf
conn cert
type=tunnel
auto=add
esp=aes128-sha1!
ike=aes128-sha1-modp1024!
left=192.168.11.55
right=%any
leftauth=pubkey
rightauth=pubkey
rightauth2=xauth
leftsubnet=10.3.1.0/24
rightid=%any
rightsourceip=10.3.0.0/28
leftcert=cert.pem
#
cisco vpn client log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
374 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
375 18:08:23.123 07/15/15 Sev=Info/4 CM/0x63100002
Begin connection process
376 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
377 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100004
Establish secure connection
378 18:08:23.096 07/15/15 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
379 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100024
Attempt connection with server "192.168.11.55"
380 18:08:23.097 07/15/15 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
381 18:08:23.143 07/15/15 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 192.168.11.55.
382 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
383 18:08:23.154 07/15/15 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
384 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
385 18:08:23.155 07/15/15 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
386 18:08:23.120 07/15/15 Sev=Info/4 CERT/0x63600015
Cert (cn=vpn3,ou=Dev,o=IBM,st=CA,c=US) verification succeeded.
387 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
388 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T),
VID(Unity)) to 192.168.11.55
389 18:08:23.169 07/15/15 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
390 18:08:23.170 07/15/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
391 18:08:23.170 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
392 18:08:23.170 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity),
VID(Nat-T)) from 192.168.11.55
393 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
394 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
Peer supports DPD
395 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
396 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
397 18:08:23.178 07/15/15 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
398 18:08:23.178 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to
192.168.11.55
399 18:08:23.183 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
400 18:08:23.183 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from
192.168.11.55
401 18:08:23.239 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to 192.168.11.55
402 18:08:23.243 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
403 18:08:23.243 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.11.55
404 18:08:23.249 07/15/15 Sev=Info/4 CERT/0x63600015
Cert (cn=vpn4,ou=Dev,o=IBM,st=CA,c=US) verification succeeded.
405 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xE900, Remote Port = 0x01F4
406 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
407 18:08:23.250 07/15/15 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE
SA in the system
408 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
409 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
410 18:08:23.250 07/15/15 Sev=Info/4 CM/0x63100015
Launch xAuth application
411 18:08:25.250 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
412 18:08:25.251 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
413 18:08:27.257 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
414 18:08:27.257 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
415 18:08:29.258 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
416 18:08:29.258 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
417 18:08:30.056 07/15/15 Sev=Info/4 CM/0x63100017
xAuth application returned
418 18:08:30.056 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
419 18:08:30.094 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
420 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
421 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
422 18:08:30.094 07/15/15 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE
SA in the system
423 18:08:30.097 07/15/15 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
424 18:08:30.097 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
425 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
426 18:08:30.098 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
427 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.3.0.1
428 18:08:30.099 07/15/15 Sev=Info/4 CM/0x63100019
Mode Config data received
429 18:08:30.125 07/15/15 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.3.0.1, GW IP =
192.168.11.55, Remote IP = 0.0.0.0
430 18:08:30.126 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.11.55
431 18:08:30.128 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
432 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID) from 192.168.11.55
433 18:08:30.128 07/15/15 Sev=Warning/3 IKE/0xE3000060
Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0
port=0, the peer sent
434 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B
Failed to process ID payload (MsgHandler:681)
435 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B
Failed to process QM Msg 2 (NavigatorQM:455)
436 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Quick Mode
negotiator:(Navigator:2263)
437 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55
438 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=A8BAAF56
439 18:08:30.233 07/15/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
440 18:08:40.373 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55
441 18:08:40.374 07/15/15 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 192.168.11.55, our seq# = 234858457
442 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
443 18:08:40.375 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55
444 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 192.168.11.55, seq# received = 234858457, seq#
expected = 234858457
445 18:08:50.513 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55
446 18:08:50.514 07/15/15 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 192.168.11.55, our seq# = 234858458
447 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.11.55
448 18:08:50.515 07/15/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55
449 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 192.168.11.55, seq# received = 234858458, seq#
expected = 234858458
450 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9E9978E0D95B4917
R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING
451 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55
452 18:09:01.168 07/15/15 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9E9978E0D95B4917
R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING
453 18:09:01.168 07/15/15 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by
"DEL_REASON_PEER_NOT_RESPONDING". 0 Crypto Active IKE SA, 0 User
Authenticated IKE SA in the system
454 18:09:01.168 07/15/15 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
455 18:09:01.172 07/15/15 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
456 18:09:01.172 07/15/15 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
457 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
458 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
459 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
460 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
the strongswan log
# cat /var/log/charon.log
18:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 2.6.32-
220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
18:24:19 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
18:24:19 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1" from
'/etc/ipsec.d/cacerts/ca.pem'
18:24:19 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
18:24:19 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such
file or directory
18:24:19 00[CFG] reading directory failed
18:24:19 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
18:24:19 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No such
file or directory
18:24:19 00[CFG] reading directory failed
18:24:19 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
18:24:19 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such
file or directory
18:24:19 00[CFG] reading directory failed
18:24:19 00[CFG] loading crls from '/etc/ipsec.d/crls'
18:24:19 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such file
or directory
18:24:19 00[CFG] reading directory failed
18:24:19 00[CFG] loading secrets from '/etc/ipsec.secrets'
18:24:19 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/key.pem'
18:24:19 00[CFG] loaded 1 RADIUS server configuration
18:24:19 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem pkcs1
gmp random nonce
xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default
fips-prf eap-mschapv2
eap-md5 eap-tls eap-identity eap-radius updown
18:24:19 00[LIB] unable to load 12 plugin features (12 due to unmet
dependencies)
18:24:19 00[JOB] spawning 16 worker threads
18:24:19 06[CFG] received stroke: add connection 'cert'
18:24:19 06[CFG] adding virtual IP address pool 10.3.0.0/28
18:24:19 06[CFG] loaded certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn4"
from 'cert.pem'
18:24:19 06[CFG] added configuration 'cert'
18:24:34 08[NET] received packet: from 192.168.11.4[59640] to
192.168.11.55[500] (1160 bytes)
18:24:34 08[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
18:24:34 08[IKE] received XAuth vendor ID
18:24:34 08[IKE] received DPD vendor ID
18:24:34 08[IKE] received FRAGMENTATION vendor ID
18:24:34 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
18:24:34 08[IKE] received Cisco Unity vendor ID
18:24:34 08[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
18:24:34 08[ENC] generating ID_PROT response 0 [ SA V V V V ]
18:24:34 08[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (160 bytes)
18:24:34 09[NET] received packet: from 192.168.11.4[59640] to
192.168.11.55[500] (288 bytes)
18:24:34 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
18:24:34 09[ENC] received unknown vendor ID:
20:7f:78:d5:92:7b:32:88:21:6d:a6:10:54:6b:75:e5
18:24:34 09[IKE] received Cisco Unity vendor ID
18:24:34 09[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
18:24:34 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
18:24:34 09[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (333 bytes)
18:24:35 10[NET] received packet: from 192.168.11.4[59640] to
192.168.11.55[500] (1692 bytes)
18:24:35 10[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
N(INITIAL_CONTACT) ]
18:24:35 10[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1'
18:24:35 10[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn3"
18:24:35 10[CFG] looking for XAuthInitRSA peer configs matching
192.168.11.55...192.168.11.4
[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
18:24:35 10[CFG] selected peer config "cert"
18:24:35 10[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
18:24:35 10[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
18:24:35 10[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
OU=Dev, CN=vpn3"
18:24:35 10[CFG] certificate status is not available
18:24:35 10[CFG] reached self-signed root ca with a path length of 0
18:24:35 10[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
with RSA successful
18:24:35 10[IKE] authentication of '192.168.11.55' (myself) successful
18:24:35 10[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn4"
18:24:35 10[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
18:24:35 10[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (1516 bytes)
18:24:35 10[ENC] generating TRANSACTION request 1437880664 [ HASH
CPRQ(X_USER X_PWD) ]
18:24:35 10[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:37 11[IKE] sending retransmit 1 of request message ID 1437880664, seq
1
18:24:37 11[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:39 12[IKE] sending retransmit 2 of request message ID 1437880664, seq
1
18:24:39 12[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:41 13[IKE] sending retransmit 3 of request message ID 1437880664, seq
1
18:24:41 13[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:43 14[IKE] sending retransmit 4 of request message ID 1437880664, seq
1
18:24:43 14[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:45 15[IKE] sending retransmit 5 of request message ID 1437880664, seq
1
18:24:45 15[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59640] (76 bytes)
18:24:47 16[IKE] giving up after 5 retransmits
----- failed retry-----
18:24:47 16[IKE] peer not responding, trying again (2/5)
18:24:47 16[IKE] initiating Main Mode IKE_SA cert[1] to %any
18:24:47 16[ENC] generating ID_PROT request 0 [ SA V V V V V ]
18:24:47 16[NET] sending packet: from 192.168.11.55[500] to 0.0.0.0[500]
(176 bytes)
18:24:47 05[NET] received packet: from 192.168.11.55[500] to
192.168.11.55[500] (176 bytes)
18:24:47 05[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
18:24:47 05[IKE] received XAuth vendor ID
18:24:47 05[IKE] received DPD vendor ID
18:24:47 05[IKE] received Cisco Unity vendor ID
18:24:47 05[IKE] received NAT-T (RFC 3947) vendor ID
18:24:47 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
18:24:47 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
18:24:47 05[NET] sending packet: from 192.168.11.55[500] to
192.168.11.55[500] (244 bytes)
18:24:47 07[NET] received packet: from 192.168.11.55[500] to
192.168.11.55[500] (244 bytes)
18:24:47 07[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
18:24:47 07[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
18:24:47 07[IKE] authentication of '192.168.11.55' (myself) successful
18:24:47 07[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn4"
18:24:47 07[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ ]
18:24:47 07[NET] sending packet: from 192.168.11.55[500] to
192.168.11.55[500] (1612 bytes)
18:24:47 06[NET] received packet: from 192.168.11.55[500] to
192.168.11.55[500] (1612 bytes)
18:24:47 06[ENC] invalid ID_V1 payload length, decryption failed?
18:24:47 06[ENC] could not decrypt payloads
18:24:47 06[IKE] message parsing failed
18:24:47 06[ENC] generating INFORMATIONAL_V1 request 1677057335 [ HASH
N(PLD_MAL) ]
18:24:47 06[NET] sending packet: from 192.168.11.55[500] to
192.168.11.55[500] (76 bytes)
18:24:47 06[IKE] ID_PROT response with message ID 0 processing failed
18:24:47 08[NET] received packet: from 192.168.11.55[500] to
192.168.11.55[500] (76 bytes)
18:24:47 08[ENC] parsed INFORMATIONAL_V1 request 1677057335 [ HASH
N(PLD_MAL) ]
18:24:47 08[IKE] received PAYLOAD_MALFORMED error notify
18:27:42 15[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (1160 bytes)
18:27:42 15[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
18:27:42 15[IKE] received XAuth vendor ID
18:27:42 15[IKE] received DPD vendor ID
18:27:42 15[IKE] received FRAGMENTATION vendor ID
18:27:42 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
18:27:42 15[IKE] received Cisco Unity vendor ID
18:27:42 15[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
18:27:42 15[ENC] generating ID_PROT response 0 [ SA V V V V ]
18:27:42 15[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (160 bytes)
18:27:42 16[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (288 bytes)
18:27:42 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
18:27:42 16[ENC] received unknown vendor ID:
6b:5e:df:fd:d9:5a:49:17:3b:24:e1:32:64:cc:c0:e7
18:27:42 16[IKE] received Cisco Unity vendor ID
18:27:42 16[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
18:27:42 16[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
18:27:42 16[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (333 bytes)
18:27:42 05[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (1692 bytes)
18:27:42 05[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
N(INITIAL_CONTACT) ]
18:27:42 05[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1'
18:27:42 05[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn3"
18:27:42 05[CFG] looking for XAuthInitRSA peer configs matching
192.168.11.55...192.168.11.4
[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
18:27:42 05[CFG] selected peer config "cert"
18:27:42 05[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
18:27:42 05[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
18:27:42 05[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
OU=Dev, CN=vpn3"
18:27:42 05[CFG] certificate status is not available
18:27:42 05[CFG] reached self-signed root ca with a path length of 0
18:27:42 05[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
with RSA successful
18:27:42 05[IKE] authentication of '192.168.11.55' (myself) successful
18:27:42 05[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn4"
18:27:42 05[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
18:27:42 05[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (1516 bytes)
18:27:42 05[ENC] generating TRANSACTION request 1729591383 [ HASH
CPRQ(X_USER X_PWD) ]
18:27:42 05[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
18:27:44 07[IKE] sending retransmit 1 of request message ID 1729591383, seq
1
18:27:44 07[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
18:27:46 06[IKE] sending retransmit 2 of request message ID 1729591383, seq
1
18:27:46 06[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
18:27:48 08[IKE] sending retransmit 3 of request message ID 1729591383, seq
1
18:27:48 08[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
------- get username/password -----
18:27:49 09[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (92 bytes)
18:27:49 09[ENC] parsed TRANSACTION response 1729591383 [ HASH CPRP(X_USER
X_PWD) ]
18:27:49 09[IKE] PAM authentication of 'admin' successful
18:27:49 09[IKE] XAuth authentication of 'admin' successful
18:27:49 09[ENC] generating TRANSACTION request 2041229808 [ HASH
CPS(X_STATUS) ]
18:27:49 09[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
18:27:49 10[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (60 bytes)
18:27:49 10[ENC] parsed TRANSACTION response 2041229808 [ HASH CP ]
18:27:49 10[IKE] IKE_SA cert[2] established between 192.168.11.55
[192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
18:27:49 10[IKE] scheduling reauthentication in 3407s
18:27:49 10[IKE] maximum IKE_SA lifetime 3587s
18:27:49 12[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (204 bytes)
18:27:49 12[ENC] unknown attribute type (28683)
18:27:49 12[ENC] unknown attribute type (28684)
18:27:49 12[ENC] parsed TRANSACTION request 3997764575 [ HASH CPRQ(ADDR
MASK DNS NBNS EXP
U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV
(28684) VER U_FWTYPE
U_DDNSHOST U_NATTPORT U_LOCALLAN) ]
18:27:49 12[IKE] peer requested virtual IP %any
18:27:49 12[CFG] assigning new lease to 'admin'
18:27:49 12[IKE] assigning virtual IP 10.3.0.1 to peer 'admin'
18:27:49 12[ENC] generating TRANSACTION response 3997764575 [ HASH
CPRP(ADDR) ]
18:27:49 12[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (76 bytes)
18:27:49 13[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (1036 bytes)
18:27:49 13[ENC] parsed QUICK_MODE request 2830806870 [ HASH SA No ID ID ]
18:27:49 13[IKE] received 2147483s lifetime, configured 1200s
18:27:49 13[ENC] generating QUICK_MODE response 2830806870 [ HASH SA No ID
ID ]
---- enter QM then the client got invalid ID payload ------
18:27:49 13[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (188 bytes)
18:27:49 14[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (76 bytes)
18:27:49 14[ENC] parsed INFORMATIONAL_V1 request 1748929456 [ HASH D ]
18:27:49 14[IKE] received DELETE for ESP CHILD_SA with SPI 99de1a47
18:27:49 14[IKE] CHILD_SA not found, ignored
18:27:59 07[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (92 bytes)
18:27:59 07[ENC] parsed INFORMATIONAL_V1 request 2690483197 [ HASH N(DPD) ]
18:27:59 07[ENC] generating INFORMATIONAL_V1 request 846596827 [ HASH
N(DPD_ACK) ]
18:27:59 07[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (92 bytes)
18:28:09 06[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (92 bytes)
18:28:09 06[ENC] parsed INFORMATIONAL_V1 request 741866151 [ HASH N(DPD) ]
18:28:09 06[ENC] generating INFORMATIONAL_V1 request 2693244661 [ HASH
N(DPD_ACK) ]
18:28:09 06[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[59648] (92 bytes)
18:28:19 09[NET] received packet: from 192.168.11.4[59648] to
192.168.11.55[500] (92 bytes)
18:28:19 09[ENC] parsed INFORMATIONAL_V1 request 2657653456 [ HASH D ]
18:28:19 09[IKE] received DELETE for IKE_SA cert[2]
18:28:19 09[IKE] deleting IKE_SA cert[2] between
192.168.11.55[192.168.11.55]...192.168.11.4
[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
18:28:19 09[CFG] lease 10.3.0.1 by 'admin' went offline
20:16:21 07[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (1160 bytes)
20:16:21 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
20:16:21 07[IKE] received XAuth vendor ID
20:16:21 07[IKE] received DPD vendor ID
20:16:21 07[IKE] received FRAGMENTATION vendor ID
20:16:21 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
20:16:21 07[IKE] received Cisco Unity vendor ID
20:16:21 07[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
20:16:21 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
20:16:21 07[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (160 bytes)
20:16:21 06[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (288 bytes)
20:16:21 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
20:16:21 06[ENC] received unknown vendor ID:
1b:46:5c:a1:26:50:a7:e7:d8:ff:60:b4:de:86:0f:f7
20:16:21 06[IKE] received Cisco Unity vendor ID
20:16:21 06[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
20:16:21 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
20:16:21 06[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (333 bytes)
20:16:21 08[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (1692 bytes)
20:16:21 08[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
N(INITIAL_CONTACT) ]
20:16:21 08[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1'
20:16:21 08[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn3"
20:16:21 08[CFG] looking for XAuthInitRSA peer configs matching
192.168.11.55...192.168.11.4
[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
20:16:21 08[CFG] selected peer config "cert"
20:16:21 08[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
20:16:21 08[CFG] using trusted ca certificate "C=US, ST=CA, L=San, O=IBM,
OU=Dev, CN=CA1"
20:16:21 08[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
OU=Dev, CN=vpn3"
20:16:21 08[CFG] certificate status is not available
20:16:21 08[CFG] reached self-signed root ca with a path length of 0
20:16:21 08[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
with RSA successful
20:16:21 08[IKE] authentication of '192.168.11.55' (myself) successful
20:16:21 08[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
CN=vpn4"
20:16:21 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
20:16:21 08[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (1516 bytes)
20:16:21 08[ENC] generating TRANSACTION request 2850616008 [ HASH
CPRQ(X_USER X_PWD) ]
20:16:21 08[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (76 bytes)
20:16:23 09[IKE] sending retransmit 1 of request message ID 2850616008, seq
1
20:16:23 09[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (76 bytes)
20:16:25 10[IKE] sending retransmit 2 of request message ID 2850616008, seq
1
20:16:25 10[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (76 bytes)
20:16:26 11[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (92 bytes)
20:16:26 11[ENC] parsed TRANSACTION response 2850616008 [ HASH CPRP(X_USER
X_PWD) ]
20:16:26 11[IKE] PAM authentication of 'admin' successful
20:16:26 11[IKE] XAuth authentication of 'admin' successful
20:16:26 11[ENC] generating TRANSACTION request 588066412 [ HASH
CPS(X_STATUS) ]
20:16:26 11[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (76 bytes)
20:16:26 12[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (60 bytes)
20:16:26 12[ENC] parsed TRANSACTION response 588066412 [ HASH CP ]
20:16:26 12[IKE] IKE_SA cert[3] established between 192.168.11.55
[192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
20:16:26 12[IKE] scheduling reauthentication in 3273s
20:16:26 12[IKE] maximum IKE_SA lifetime 3453s
20:16:26 14[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (204 bytes)
20:16:26 14[ENC] unknown attribute type (28683)
20:16:26 14[ENC] unknown attribute type (28684)
20:16:26 14[ENC] parsed TRANSACTION request 2406481829 [ HASH CPRQ(ADDR
MASK DNS NBNS EXP
U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV
(28684) VER U_FWTYPE
U_DDNSHOST U_NATTPORT U_LOCALLAN) ]
20:16:26 14[IKE] peer requested virtual IP %any
20:16:26 14[CFG] reassigning offline lease to 'admin'
20:16:26 14[IKE] assigning virtual IP 10.3.0.1 to peer 'admin'
20:16:26 14[ENC] generating TRANSACTION response 2406481829 [ HASH
CPRP(ADDR) ]
20:16:26 14[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (76 bytes)
20:16:26 15[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (1036 bytes)
20:16:26 15[ENC] parsed QUICK_MODE request 4244192973 [ HASH SA No ID ID ]
20:16:26 15[IKE] received 2147483s lifetime, configured 1200s
20:16:26 15[ENC] generating QUICK_MODE response 4244192973 [ HASH SA No ID
ID ]
20:16:26 15[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (188 bytes)
20:16:26 16[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (76 bytes)
20:16:26 16[ENC] parsed INFORMATIONAL_V1 request 2557155737 [ HASH D ]
20:16:26 16[IKE] received DELETE for ESP CHILD_SA with SPI f3a12707
20:16:26 16[IKE] CHILD_SA not found, ignored
20:16:36 09[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (92 bytes)
20:16:36 09[ENC] parsed INFORMATIONAL_V1 request 2004113721 [ HASH N(DPD) ]
20:16:36 09[ENC] generating INFORMATIONAL_V1 request 3836705764 [ HASH
N(DPD_ACK) ]
20:16:36 09[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (92 bytes)
20:16:46 10[NET] received packet: from 192.168.11.4[62110] to
192.168.11.55[500] (92 bytes)
20:16:46 10[ENC] parsed INFORMATIONAL_V1 request 3010810231 [ HASH N(DPD) ]
20:16:46 10[ENC] generating INFORMATIONAL_V1 request 2810321439 [ HASH
N(DPD_ACK) ]
20:16:46 10[NET] sending packet: from 192.168.11.55[500] to
192.168.11.4[62110] (92 bytes)
#
The question the client what it expects??
what is wrong of GW config ? I did use subjectnameALT to 10.3.1.1 and
192.168.11.55
Any input, I am very appreciated
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/5a9e24be/attachment-0001.html>
More information about the Users
mailing list