[strongSwan] got the error "Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0 port=0, the peer sent"
Tom Hu
pleasetalktome at gmail.com
Fri Jul 17 20:22:14 CEST 2015
Thank Alex
It works
st41ker
1:17 AM (9 hours ago)
to me
Hello, Tom.
Seems like there is misconfiguration on server. Both sides in IKEv1 MUST
have the same IDs (in this case Traffic Selectors, or networks) configured.
If you have 10.3.1.0/255.255.255.0 on one side then you must have exactly
the same network configured on the other side.
You can not use 10.3.1.0/255.255.255.0 on the client and leftsubnet=
0.0.0.0/0 on the server side (as it can be for IKEv2), for example.
On Wed, Jul 15, 2015 at 8:23 PM, Tom Hu <pleasetalktome at gmail.com> wrote:
> hi all
>
> I used strongswan as GW and cisco vpn as client (not anyconnect) on
> Windows 7 to test interoperbility using RSA authentication
> After entered username/password on client xauth, getting the error"Unable
> to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0
> port=0, the peer sent" from cisco client
>
> The config of GW
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=5
> mobike=no
> keyexchange=ike
> #dpdaction=clear
> #dpddelay=2s
>
> include /etc/ipsec.cert.conf
>
> # cat ipsec.cert.conf
>
> conn cert
> type=tunnel
> auto=add
> esp=aes128-sha1!
> ike=aes128-sha1-modp1024!
> left=192.168.11.55
> right=%any
> leftauth=pubkey
> rightauth=pubkey
> rightauth2=xauth
> leftsubnet=10.3.1.0/24
> rightid=%any
> rightsourceip=10.3.0.0/28
> leftcert=cert.pem
> #
>
> cisco vpn client log:
>
> Cisco Systems VPN Client Version 5.0.07.0440
> Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Windows, WinNT
> Running on: 6.1.7600
>
> 374 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600026
> Attempting to find a Certificate using Serial Hash.
>
> 375 18:08:23.123 07/15/15 Sev=Info/4 CM/0x63100002
> Begin connection process
>
> 376 18:08:23.093 07/15/15 Sev=Info/6 CERT/0x63600027
> Found a Certificate using Serial Hash.
>
> 377 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100004
> Establish secure connection
>
> 378 18:08:23.096 07/15/15 Sev=Info/6 CERT/0x63600026
> Attempting to find a Certificate using Serial Hash.
>
> 379 18:08:23.139 07/15/15 Sev=Info/4 CM/0x63100024
> Attempt connection with server "192.168.11.55"
>
> 380 18:08:23.097 07/15/15 Sev=Info/6 CERT/0x63600027
> Found a Certificate using Serial Hash.
>
> 381 18:08:23.143 07/15/15 Sev=Info/6 IKE/0x6300003B
> Attempting to establish a connection with 192.168.11.55.
>
> 382 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600026
> Attempting to find a Certificate using Serial Hash.
>
> 383 18:08:23.154 07/15/15 Sev=Info/6 CERT/0x63600026
> Attempting to find a Certificate using Serial Hash.
>
> 384 18:08:23.101 07/15/15 Sev=Info/6 CERT/0x63600027
> Found a Certificate using Serial Hash.
>
> 385 18:08:23.155 07/15/15 Sev=Info/6 CERT/0x63600027
> Found a Certificate using Serial Hash.
>
> 386 18:08:23.120 07/15/15 Sev=Info/4 CERT/0x63600015
> Cert (cn=vpn3,ou=Dev,o=IBM,st=CA,c=US) verification succeeded.
>
> 387 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000001
> Starting IKE Phase 1 Negotiation
>
> 388 18:08:23.167 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag),
> VID(Nat-T), VID(Unity)) to 192.168.11.55
>
> 389 18:08:23.169 07/15/15 Sev=Info/4 IPSEC/0x63700008
> IPSec driver successfully started
>
> 390 18:08:23.170 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 391 18:08:23.170 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 392 18:08:23.170 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity),
> VID(Nat-T)) from 192.168.11.55
>
> 393 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
> Peer supports XAUTH
>
> 394 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
> Peer supports DPD
>
> 395 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
> Peer is a Cisco-Unity compliant peer
>
> 396 18:08:23.178 07/15/15 Sev=Info/5 IKE/0x63000001
> Peer supports NAT-T
>
> 397 18:08:23.178 07/15/15 Sev=Info/6 IKE/0x63000001
> IOS Vendor ID Contruction successful
>
> 398 18:08:23.178 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to
> 192.168.11.55
>
> 399 18:08:23.183 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 400 18:08:23.183 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from
> 192.168.11.55
>
> 401 18:08:23.239 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
> NOTIFY:STATUS_INITIAL_CONTACT) to 192.168.11.55
>
> 402 18:08:23.243 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 403 18:08:23.243 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.11.55
>
> 404 18:08:23.249 07/15/15 Sev=Info/4 CERT/0x63600015
> Cert (cn=vpn4,ou=Dev,o=IBM,st=CA,c=US) verification succeeded.
>
> 405 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000083
> IKE Port in use - Local Port = 0xE900, Remote Port = 0x01F4
>
> 406 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x63000072
> Automatic NAT Detection Status:
> Remote end is NOT behind a NAT device
> This end is NOT behind a NAT device
>
> 407 18:08:23.250 07/15/15 Sev=Info/4 CM/0x6310000E
> Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE
> SA in the system
>
> 408 18:08:23.250 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 409 18:08:23.250 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
>
> 410 18:08:23.250 07/15/15 Sev=Info/4 CM/0x63100015
> Launch xAuth application
>
> 411 18:08:25.250 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 412 18:08:25.251 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
>
> 413 18:08:27.257 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 414 18:08:27.257 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
>
> 415 18:08:29.258 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 416 18:08:29.258 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 192.168.11.55
>
> 417 18:08:30.056 07/15/15 Sev=Info/4 CM/0x63100017
> xAuth application returned
>
> 418 18:08:30.056 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
>
> 419 18:08:30.094 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 420 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
>
> 421 18:08:30.094 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
>
> 422 18:08:30.094 07/15/15 Sev=Info/4 CM/0x6310000E
> Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE
> SA in the system
>
> 423 18:08:30.097 07/15/15 Sev=Info/5 IKE/0x6300005E
> Client sending a firewall request to concentrator
>
> 424 18:08:30.097 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.11.55
>
> 425 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 426 18:08:30.098 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.11.55
>
> 427 18:08:30.098 07/15/15 Sev=Info/5 IKE/0x63000010
> MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.3.0.1
>
> 428 18:08:30.099 07/15/15 Sev=Info/4 CM/0x63100019
> Mode Config data received
>
> 429 18:08:30.125 07/15/15 Sev=Info/4 IKE/0x63000056
> Received a key request from Driver: Local IP = 10.3.0.1, GW IP =
> 192.168.11.55, Remote IP = 0.0.0.0
>
> 430 18:08:30.126 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.11.55
>
> 431 18:08:30.128 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 432 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID) from 192.168.11.55
>
> 433 18:08:30.128 07/15/15 Sev=Warning/3 IKE/0xE3000060
> Unable to validate the responder ID, ID=10.3.1.0/255.255.255.0 Protocol=0
> port=0, the peer sent
>
> 434 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B
> Failed to process ID payload (MsgHandler:681)
>
> 435 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE300009B
> Failed to process QM Msg 2 (NavigatorQM:455)
>
> 436 18:08:30.128 07/15/15 Sev=Warning/2 IKE/0xE30000A7
> Unexpected SW error occurred while processing Quick Mode
> negotiator:(Navigator:2263)
>
> 437 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55
>
> 438 18:08:30.128 07/15/15 Sev=Info/4 IKE/0x63000049
> Discarding IPsec SA negotiation, MsgID=A8BAAF56
>
> 439 18:08:30.233 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 440 18:08:40.373 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55
>
> 441 18:08:40.374 07/15/15 Sev=Info/6 IKE/0x6300003D
> Sending DPD request to 192.168.11.55, our seq# = 234858457
>
> 442 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 443 18:08:40.375 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55
>
> 444 18:08:40.375 07/15/15 Sev=Info/5 IKE/0x63000040
> Received DPD ACK from 192.168.11.55, seq# received = 234858457, seq#
> expected = 234858457
>
> 445 18:08:50.513 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.11.55
>
> 446 18:08:50.514 07/15/15 Sev=Info/6 IKE/0x6300003D
> Sending DPD request to 192.168.11.55, our seq# = 234858458
>
> 447 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x6300002F
> Received ISAKMP packet: peer = 192.168.11.55
>
> 448 18:08:50.515 07/15/15 Sev=Info/4 IKE/0x63000014
> RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.11.55
>
> 449 18:08:50.515 07/15/15 Sev=Info/5 IKE/0x63000040
> Received DPD ACK from 192.168.11.55, seq# received = 234858458, seq#
> expected = 234858458
>
> 450 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000017
> Marking IKE SA for deletion (I_Cookie=9E9978E0D95B4917
> R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING
>
> 451 18:09:00.160 07/15/15 Sev=Info/4 IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.11.55
>
> 452 18:09:01.168 07/15/15 Sev=Info/4 IKE/0x6300004B
> Discarding IKE SA negotiation (I_Cookie=9E9978E0D95B4917
> R_Cookie=613A22AF838F7C54) reason = DEL_REASON_PEER_NOT_RESPONDING
>
> 453 18:09:01.168 07/15/15 Sev=Info/4 CM/0x63100012
> Phase 1 SA deleted before first Phase 2 SA is up cause by
> "DEL_REASON_PEER_NOT_RESPONDING". 0 Crypto Active IKE SA, 0 User
> Authenticated IKE SA in the system
>
> 454 18:09:01.168 07/15/15 Sev=Info/5 CM/0x63100025
> Initializing CVPNDrv
>
> 455 18:09:01.172 07/15/15 Sev=Info/6 CM/0x63100046
> Set tunnel established flag in registry to 0.
>
> 456 18:09:01.172 07/15/15 Sev=Info/4 IKE/0x63000001
> IKE received signal to terminate VPN connection
>
> 457 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 458 18:09:01.177 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 459 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x63700014
> Deleted all keys
>
> 460 18:09:01.178 07/15/15 Sev=Info/4 IPSEC/0x6370000A
> IPSec driver successfully stopped
>
> the strongswan log
>
> # cat /var/log/charon.log
> 18:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux
> 2.6.32-
>
> 220.17.1.142.bos_dove_72.x86_64.VPN-APP-S5_SN_DOVE, x86_64)
> 18:24:19 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 18:24:19 00[CFG] loaded ca certificate "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1" from
>
> '/etc/ipsec.d/cacerts/ca.pem'
> 18:24:19 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 18:24:19 00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: No such
> file or directory
> 18:24:19 00[CFG] reading directory failed
> 18:24:19 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> 18:24:19 00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: No
> such file or directory
> 18:24:19 00[CFG] reading directory failed
> 18:24:19 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 18:24:19 00[LIB] opening directory '/etc/ipsec.d/acerts' failed: No such
> file or directory
> 18:24:19 00[CFG] reading directory failed
> 18:24:19 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 18:24:19 00[LIB] opening directory '/etc/ipsec.d/crls' failed: No such
> file or directory
> 18:24:19 00[CFG] reading directory failed
> 18:24:19 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 18:24:19 00[CFG] loaded RSA private key from
> '/etc/ipsec.d/private/key.pem'
> 18:24:19 00[CFG] loaded 1 RADIUS server configuration
> 18:24:19 00[LIB] loaded plugins: charon aes des sha1 sha2 md4 md5 pem
> pkcs1 gmp random nonce
>
> xauth-pam x509 revocation hmac xcbc stroke kernel-netlink socket-default
> fips-prf eap-mschapv2
>
> eap-md5 eap-tls eap-identity eap-radius updown
> 18:24:19 00[LIB] unable to load 12 plugin features (12 due to unmet
> dependencies)
> 18:24:19 00[JOB] spawning 16 worker threads
> 18:24:19 06[CFG] received stroke: add connection 'cert'
> 18:24:19 06[CFG] adding virtual IP address pool 10.3.0.0/28
> 18:24:19 06[CFG] loaded certificate "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn4" from 'cert.pem'
> 18:24:19 06[CFG] added configuration 'cert'
> 18:24:34 08[NET] received packet: from 192.168.11.4[59640] to
> 192.168.11.55[500] (1160 bytes)
> 18:24:34 08[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
> 18:24:34 08[IKE] received XAuth vendor ID
> 18:24:34 08[IKE] received DPD vendor ID
> 18:24:34 08[IKE] received FRAGMENTATION vendor ID
> 18:24:34 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 18:24:34 08[IKE] received Cisco Unity vendor ID
> 18:24:34 08[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
> 18:24:34 08[ENC] generating ID_PROT response 0 [ SA V V V V ]
> 18:24:34 08[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (160 bytes)
> 18:24:34 09[NET] received packet: from 192.168.11.4[59640] to
> 192.168.11.55[500] (288 bytes)
> 18:24:34 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
> 18:24:34 09[ENC] received unknown vendor ID:
> 20:7f:78:d5:92:7b:32:88:21:6d:a6:10:54:6b:75:e5
> 18:24:34 09[IKE] received Cisco Unity vendor ID
> 18:24:34 09[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1"
> 18:24:34 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D
> ]
> 18:24:34 09[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (333 bytes)
> 18:24:35 10[NET] received packet: from 192.168.11.4[59640] to
> 192.168.11.55[500] (1692 bytes)
> 18:24:35 10[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
> N(INITIAL_CONTACT) ]
> 18:24:35 10[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1'
> 18:24:35 10[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn3"
> 18:24:35 10[CFG] looking for XAuthInitRSA peer configs matching
> 192.168.11.55...192.168.11.4
>
> [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 18:24:35 10[CFG] selected peer config "cert"
> 18:24:35 10[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
> 18:24:35 10[CFG] using trusted ca certificate "C=US, ST=CA, L=San,
> O=IBM, OU=Dev, CN=CA1"
> 18:24:35 10[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
> OU=Dev, CN=vpn3"
> 18:24:35 10[CFG] certificate status is not available
> 18:24:35 10[CFG] reached self-signed root ca with a path length of 0
> 18:24:35 10[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
> with RSA successful
> 18:24:35 10[IKE] authentication of '192.168.11.55' (myself) successful
> 18:24:35 10[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn4"
> 18:24:35 10[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 18:24:35 10[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (1516 bytes)
> 18:24:35 10[ENC] generating TRANSACTION request 1437880664 [ HASH
> CPRQ(X_USER X_PWD) ]
> 18:24:35 10[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:37 11[IKE] sending retransmit 1 of request message ID 1437880664,
> seq 1
> 18:24:37 11[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:39 12[IKE] sending retransmit 2 of request message ID 1437880664,
> seq 1
> 18:24:39 12[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:41 13[IKE] sending retransmit 3 of request message ID 1437880664,
> seq 1
> 18:24:41 13[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:43 14[IKE] sending retransmit 4 of request message ID 1437880664,
> seq 1
> 18:24:43 14[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:45 15[IKE] sending retransmit 5 of request message ID 1437880664,
> seq 1
> 18:24:45 15[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59640] (76 bytes)
> 18:24:47 16[IKE] giving up after 5 retransmits
> ----- failed retry-----
> 18:24:47 16[IKE] peer not responding, trying again (2/5)
> 18:24:47 16[IKE] initiating Main Mode IKE_SA cert[1] to %any
> 18:24:47 16[ENC] generating ID_PROT request 0 [ SA V V V V V ]
> 18:24:47 16[NET] sending packet: from 192.168.11.55[500] to 0.0.0.0[500]
> (176 bytes)
> 18:24:47 05[NET] received packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (176 bytes)
> 18:24:47 05[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
> 18:24:47 05[IKE] received XAuth vendor ID
> 18:24:47 05[IKE] received DPD vendor ID
> 18:24:47 05[IKE] received Cisco Unity vendor ID
> 18:24:47 05[IKE] received NAT-T (RFC 3947) vendor ID
> 18:24:47 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 18:24:47 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 18:24:47 05[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (244 bytes)
> 18:24:47 07[NET] received packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (244 bytes)
> 18:24:47 07[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
> 18:24:47 07[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1"
> 18:24:47 07[IKE] authentication of '192.168.11.55' (myself) successful
> 18:24:47 07[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn4"
> 18:24:47 07[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ ]
> 18:24:47 07[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (1612 bytes)
> 18:24:47 06[NET] received packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (1612 bytes)
> 18:24:47 06[ENC] invalid ID_V1 payload length, decryption failed?
> 18:24:47 06[ENC] could not decrypt payloads
> 18:24:47 06[IKE] message parsing failed
> 18:24:47 06[ENC] generating INFORMATIONAL_V1 request 1677057335 [ HASH
> N(PLD_MAL) ]
> 18:24:47 06[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (76 bytes)
> 18:24:47 06[IKE] ID_PROT response with message ID 0 processing failed
> 18:24:47 08[NET] received packet: from 192.168.11.55[500] to
> 192.168.11.55[500] (76 bytes)
> 18:24:47 08[ENC] parsed INFORMATIONAL_V1 request 1677057335 [ HASH
> N(PLD_MAL) ]
> 18:24:47 08[IKE] received PAYLOAD_MALFORMED error notify
> 18:27:42 15[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (1160 bytes)
> 18:27:42 15[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
> 18:27:42 15[IKE] received XAuth vendor ID
> 18:27:42 15[IKE] received DPD vendor ID
> 18:27:42 15[IKE] received FRAGMENTATION vendor ID
> 18:27:42 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 18:27:42 15[IKE] received Cisco Unity vendor ID
> 18:27:42 15[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
> 18:27:42 15[ENC] generating ID_PROT response 0 [ SA V V V V ]
> 18:27:42 15[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (160 bytes)
> 18:27:42 16[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (288 bytes)
> 18:27:42 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
> 18:27:42 16[ENC] received unknown vendor ID:
> 6b:5e:df:fd:d9:5a:49:17:3b:24:e1:32:64:cc:c0:e7
> 18:27:42 16[IKE] received Cisco Unity vendor ID
> 18:27:42 16[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1"
> 18:27:42 16[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D
> ]
> 18:27:42 16[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (333 bytes)
> 18:27:42 05[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (1692 bytes)
> 18:27:42 05[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
> N(INITIAL_CONTACT) ]
> 18:27:42 05[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1'
> 18:27:42 05[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn3"
> 18:27:42 05[CFG] looking for XAuthInitRSA peer configs matching
> 192.168.11.55...192.168.11.4
>
> [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 18:27:42 05[CFG] selected peer config "cert"
> 18:27:42 05[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
> 18:27:42 05[CFG] using trusted ca certificate "C=US, ST=CA, L=San,
> O=IBM, OU=Dev, CN=CA1"
> 18:27:42 05[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
> OU=Dev, CN=vpn3"
> 18:27:42 05[CFG] certificate status is not available
> 18:27:42 05[CFG] reached self-signed root ca with a path length of 0
> 18:27:42 05[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
> with RSA successful
> 18:27:42 05[IKE] authentication of '192.168.11.55' (myself) successful
> 18:27:42 05[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn4"
> 18:27:42 05[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 18:27:42 05[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (1516 bytes)
> 18:27:42 05[ENC] generating TRANSACTION request 1729591383 [ HASH
> CPRQ(X_USER X_PWD) ]
> 18:27:42 05[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> 18:27:44 07[IKE] sending retransmit 1 of request message ID 1729591383,
> seq 1
> 18:27:44 07[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> 18:27:46 06[IKE] sending retransmit 2 of request message ID 1729591383,
> seq 1
> 18:27:46 06[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> 18:27:48 08[IKE] sending retransmit 3 of request message ID 1729591383,
> seq 1
> 18:27:48 08[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> ------- get username/password -----
> 18:27:49 09[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (92 bytes)
> 18:27:49 09[ENC] parsed TRANSACTION response 1729591383 [ HASH CPRP(X_USER
> X_PWD) ]
> 18:27:49 09[IKE] PAM authentication of 'admin' successful
> 18:27:49 09[IKE] XAuth authentication of 'admin' successful
> 18:27:49 09[ENC] generating TRANSACTION request 2041229808 [ HASH
> CPS(X_STATUS) ]
> 18:27:49 09[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> 18:27:49 10[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (60 bytes)
> 18:27:49 10[ENC] parsed TRANSACTION response 2041229808 [ HASH CP ]
> 18:27:49 10[IKE] IKE_SA cert[2] established between 192.168.11.55
>
> [192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 18:27:49 10[IKE] scheduling reauthentication in 3407s
> 18:27:49 10[IKE] maximum IKE_SA lifetime 3587s
> 18:27:49 12[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (204 bytes)
> 18:27:49 12[ENC] unknown attribute type (28683)
> 18:27:49 12[ENC] unknown attribute type (28684)
> 18:27:49 12[ENC] parsed TRANSACTION request 3997764575 [ HASH CPRQ(ADDR
> MASK DNS NBNS EXP
>
> U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV
> (28684) VER U_FWTYPE
>
> U_DDNSHOST U_NATTPORT U_LOCALLAN) ]
> 18:27:49 12[IKE] peer requested virtual IP %any
> 18:27:49 12[CFG] assigning new lease to 'admin'
> 18:27:49 12[IKE] assigning virtual IP 10.3.0.1 to peer 'admin'
> 18:27:49 12[ENC] generating TRANSACTION response 3997764575 [ HASH
> CPRP(ADDR) ]
> 18:27:49 12[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (76 bytes)
> 18:27:49 13[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (1036 bytes)
> 18:27:49 13[ENC] parsed QUICK_MODE request 2830806870 [ HASH SA No ID ID ]
> 18:27:49 13[IKE] received 2147483s lifetime, configured 1200s
> 18:27:49 13[ENC] generating QUICK_MODE response 2830806870 [ HASH SA No ID
> ID ]
> ---- enter QM then the client got invalid ID payload ------
>
> 18:27:49 13[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (188 bytes)
> 18:27:49 14[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (76 bytes)
> 18:27:49 14[ENC] parsed INFORMATIONAL_V1 request 1748929456 [ HASH D ]
> 18:27:49 14[IKE] received DELETE for ESP CHILD_SA with SPI 99de1a47
> 18:27:49 14[IKE] CHILD_SA not found, ignored
> 18:27:59 07[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (92 bytes)
> 18:27:59 07[ENC] parsed INFORMATIONAL_V1 request 2690483197 [ HASH N(DPD) ]
> 18:27:59 07[ENC] generating INFORMATIONAL_V1 request 846596827 [ HASH
> N(DPD_ACK) ]
> 18:27:59 07[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (92 bytes)
> 18:28:09 06[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (92 bytes)
> 18:28:09 06[ENC] parsed INFORMATIONAL_V1 request 741866151 [ HASH N(DPD) ]
> 18:28:09 06[ENC] generating INFORMATIONAL_V1 request 2693244661 [ HASH
> N(DPD_ACK) ]
> 18:28:09 06[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[59648] (92 bytes)
> 18:28:19 09[NET] received packet: from 192.168.11.4[59648] to
> 192.168.11.55[500] (92 bytes)
> 18:28:19 09[ENC] parsed INFORMATIONAL_V1 request 2657653456 [ HASH D ]
> 18:28:19 09[IKE] received DELETE for IKE_SA cert[2]
> 18:28:19 09[IKE] deleting IKE_SA cert[2] between
> 192.168.11.55[192.168.11.55]...192.168.11.4
>
> [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 18:28:19 09[CFG] lease 10.3.0.1 by 'admin' went offline
> 20:16:21 07[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (1160 bytes)
> 20:16:21 07[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
> 20:16:21 07[IKE] received XAuth vendor ID
> 20:16:21 07[IKE] received DPD vendor ID
> 20:16:21 07[IKE] received FRAGMENTATION vendor ID
> 20:16:21 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 20:16:21 07[IKE] received Cisco Unity vendor ID
> 20:16:21 07[IKE] 192.168.11.4 is initiating a Main Mode IKE_SA
> 20:16:21 07[ENC] generating ID_PROT response 0 [ SA V V V V ]
> 20:16:21 07[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (160 bytes)
> 20:16:21 06[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (288 bytes)
> 20:16:21 06[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D V V ]
> 20:16:21 06[ENC] received unknown vendor ID:
> 1b:46:5c:a1:26:50:a7:e7:d8:ff:60:b4:de:86:0f:f7
> 20:16:21 06[IKE] received Cisco Unity vendor ID
> 20:16:21 06[IKE] sending cert request for "C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1"
> 20:16:21 06[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D
> ]
> 20:16:21 06[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (333 bytes)
> 20:16:21 08[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (1692 bytes)
> 20:16:21 08[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG
> N(INITIAL_CONTACT) ]
> 20:16:21 08[IKE] received cert request for 'C=US, ST=CA, L=San, O=IBM,
> OU=Dev, CN=CA1'
> 20:16:21 08[IKE] received end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn3"
> 20:16:21 08[CFG] looking for XAuthInitRSA peer configs matching
> 192.168.11.55...192.168.11.4
>
> [C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 20:16:21 08[CFG] selected peer config "cert"
> 20:16:21 08[CFG] using certificate "C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3"
> 20:16:21 08[CFG] using trusted ca certificate "C=US, ST=CA, L=San,
> O=IBM, OU=Dev, CN=CA1"
> 20:16:21 08[CFG] checking certificate status of "C=US, ST=CA, O=IBM,
> OU=Dev, CN=vpn3"
> 20:16:21 08[CFG] certificate status is not available
> 20:16:21 08[CFG] reached self-signed root ca with a path length of 0
> 20:16:21 08[IKE] authentication of 'C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3'
> with RSA successful
> 20:16:21 08[IKE] authentication of '192.168.11.55' (myself) successful
> 20:16:21 08[IKE] sending end entity cert "C=US, ST=CA, O=IBM, OU=Dev,
> CN=vpn4"
> 20:16:21 08[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 20:16:21 08[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (1516 bytes)
> 20:16:21 08[ENC] generating TRANSACTION request 2850616008 [ HASH
> CPRQ(X_USER X_PWD) ]
> 20:16:21 08[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (76 bytes)
> 20:16:23 09[IKE] sending retransmit 1 of request message ID 2850616008,
> seq 1
> 20:16:23 09[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (76 bytes)
> 20:16:25 10[IKE] sending retransmit 2 of request message ID 2850616008,
> seq 1
> 20:16:25 10[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (76 bytes)
> 20:16:26 11[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (92 bytes)
> 20:16:26 11[ENC] parsed TRANSACTION response 2850616008 [ HASH CPRP(X_USER
> X_PWD) ]
> 20:16:26 11[IKE] PAM authentication of 'admin' successful
> 20:16:26 11[IKE] XAuth authentication of 'admin' successful
> 20:16:26 11[ENC] generating TRANSACTION request 588066412 [ HASH
> CPS(X_STATUS) ]
> 20:16:26 11[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (76 bytes)
> 20:16:26 12[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (60 bytes)
> 20:16:26 12[ENC] parsed TRANSACTION response 588066412 [ HASH CP ]
> 20:16:26 12[IKE] IKE_SA cert[3] established between 192.168.11.55
>
> [192.168.11.55]...192.168.11.4[C=US, ST=CA, O=IBM, OU=Dev, CN=vpn3]
> 20:16:26 12[IKE] scheduling reauthentication in 3273s
> 20:16:26 12[IKE] maximum IKE_SA lifetime 3453s
> 20:16:26 14[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (204 bytes)
> 20:16:26 14[ENC] unknown attribute type (28683)
> 20:16:26 14[ENC] unknown attribute type (28684)
> 20:16:26 14[ENC] parsed TRANSACTION request 2406481829 [ HASH CPRQ(ADDR
> MASK DNS NBNS EXP
>
> U_BANNER U_SAVEPWD U_DEFDOM U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV
> (28684) VER U_FWTYPE
>
> U_DDNSHOST U_NATTPORT U_LOCALLAN) ]
> 20:16:26 14[IKE] peer requested virtual IP %any
> 20:16:26 14[CFG] reassigning offline lease to 'admin'
> 20:16:26 14[IKE] assigning virtual IP 10.3.0.1 to peer 'admin'
> 20:16:26 14[ENC] generating TRANSACTION response 2406481829 [ HASH
> CPRP(ADDR) ]
> 20:16:26 14[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (76 bytes)
> 20:16:26 15[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (1036 bytes)
> 20:16:26 15[ENC] parsed QUICK_MODE request 4244192973 [ HASH SA No ID ID ]
> 20:16:26 15[IKE] received 2147483s lifetime, configured 1200s
> 20:16:26 15[ENC] generating QUICK_MODE response 4244192973 [ HASH SA No
> ID ID ]
> 20:16:26 15[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (188 bytes)
> 20:16:26 16[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (76 bytes)
> 20:16:26 16[ENC] parsed INFORMATIONAL_V1 request 2557155737 [ HASH D ]
> 20:16:26 16[IKE] received DELETE for ESP CHILD_SA with SPI f3a12707
> 20:16:26 16[IKE] CHILD_SA not found, ignored
> 20:16:36 09[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (92 bytes)
> 20:16:36 09[ENC] parsed INFORMATIONAL_V1 request 2004113721 [ HASH N(DPD) ]
> 20:16:36 09[ENC] generating INFORMATIONAL_V1 request 3836705764 [ HASH
> N(DPD_ACK) ]
> 20:16:36 09[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (92 bytes)
> 20:16:46 10[NET] received packet: from 192.168.11.4[62110] to
> 192.168.11.55[500] (92 bytes)
> 20:16:46 10[ENC] parsed INFORMATIONAL_V1 request 3010810231 [ HASH N(DPD) ]
> 20:16:46 10[ENC] generating INFORMATIONAL_V1 request 2810321439 [ HASH
> N(DPD_ACK) ]
> 20:16:46 10[NET] sending packet: from 192.168.11.55[500] to
> 192.168.11.4[62110] (92 bytes)
> #
>
>
> The question the client what it expects??
> what is wrong of GW config ? I did use subjectnameALT to 10.3.1.1 and
> 192.168.11.55
>
>
> Any input, I am very appreciated
>
> Tom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150717/fd82abfe/attachment-0001.html>
More information about the Users
mailing list