[strongSwan] DH group for key exchange is undefined

Michael Chan mchan49 at gmail.com
Fri Feb 5 01:00:53 CET 2016


Hi Thomas,
        I have tried it on a Palo Alto Network FW and got the same result.
Here is the IKE_SA_INIT packet I got from the firewall. From the packet, I
can see that it is sending DH group as undefined in the Key Exchange
section.

These are the logs that I see generated from strongswan charon. I have set
the default log value to be 3 in filelog section in strongswan.conf file.
charon: 07[IKE] initiating IKE_SA load-test[1] to 2.2.2.1
charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) ]
charon: 07[NET] sending packet: from 2.2.2.20[500] to 2.2.2.1[500] (288
bytes)
charon: 11[CFG] assigning new lease to 'ext-3'
charon: 11[CFG] installed load-tester IP 2.2.2.21 on eth1
charon: 11[IKE] initiating IKE_SA load-test[2] to 2.2.2.1
charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) ]
charon: 11[NET] sending packet: from 2.2.2.21[500] to 2.2.2.1[500] (288
bytes)
charon: 08[NET] received packet: from 2.2.2.1[500] to 2.2.2.20[500] (38
bytes)
charon: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
charon: 08[IKE] peer didn't accept DH group MODP_768, it requested MODP_768
charon: 08[DMN] thread 8 received 11
charon: 08[LIB]  dumping 12 stack frame addresses:
charon: 08[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f79582c9000
[0x7f79582d88d0]
charon: 08[LIB]     -> ??:?
charon: 08[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000
[0x7f7958c961f0]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libstrongswan/networking/packet.c:117
(discriminator 1)
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f795882bf1f]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/tasks/ike_init.c:748
(discriminator 1)
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f795881d8e2]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/task_manager_v2.c:1774
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f795882c714]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/tasks/ike_init.c:657
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f795881fdb9]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/task_manager_v2.c:664
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f7958814d57]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/sa/ike_sa.c:1402
charon: 08[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000
[0x7f795880dab1]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libcharon/processing/jobs/process_message_job.c:74
charon: 08[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000
[0x7f7958c9ad93]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libstrongswan/processing/processor.c:235
charon: 08[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000
[0x7f7958caa6d8]
charon: 08[LIB]     ->
/root/strongswan/strongswan-5.3.5/src/libstrongswan/threading/thread.c:304
(discriminator 3)
charon: 08[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f79582c9000
[0x7f79582d10a4]
charon: 08[LIB]     ->
/build/glibc-Ir_s5K/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2)
charon: 08[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f7957d1c000
(clone+0x6d) [0x7f7957e0204d]
charon: 08[LIB]     ->
/build/glibc-Ir_s5K/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
charon: 08[DMN] killing ourself, received critical signal
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
4.0.0-kali1-amd64, x86_64)
charon: 00[CFG] loaded load-tester address pool 2.2.2.20/24 on eth1
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux
4.0.0-kali1-amd64, x86_64)
charon: 00[CFG] loaded load-tester address pool 2.2.2.20/24 on eth1
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
charon: 00[LIB] loaded plugins: charon aes agent gcm openssl des rc2 sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester
kernel-netlink resolve socket-default stroke updown xauth-generic


On Sun, Jan 31, 2016 at 1:57 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael,
>
> can you provide the charon load-tester log with facility enc set to log
> level 3, see [1], and the pcap file from your cisco device (one IKE_INIT
> exchange should do).
>
> Thomas
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> On 01/31/2016 09:12 AM, Michael Chan wrote:
> > I ran this against a cisco device. I looked at the packet capture and it
> > shows that the key exchange DH group is undefined. Has anyone tried with
> > load-tester on 5.3.5?
> >
> > On Sat, Jan 30, 2016 at 2:22 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:
> >
> > Michael,
> >
> > while unloading the dishwasher I gave your issue another thought ;)
> > It seems I have somehow misread your problem. The peer you are trying
> > to connect the load tester to, runs which VPN-service? If it is a
> > strongwan instance, you should provide the version, log information
> > of the IKE negotiation and an output of your config (stroke statusall).
> > It seems odd, that the peer does not accept modp 1024 while it request
> > this same modp group in the response.
> > Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp,
> > openssl)? You should see this in 'stroke listall'.
> >
> > Cheers,
> > Thomas
> >
> > On 01/30/2016 12:20 AM, Michael Chan wrote:
> >>>> I looked at the ike logs and I see the following message
> >>>>
> >>>> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> >>>> [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024
> >>>>
> >>>> The packet capture shows the DH group is undefined. Is there a
> parameter
> > to
> >>>> set the DH group for the ike key exchange? I have the following
> parameter
> >>>> in my load-tester.conf file.
> >>>> proposal = aes-sha1-modp1024
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <mchan49 at gmail.com>
> > wrote:
> >>>>
> >>>>> Hi,
> >>>>>      I'm wanting to use the load-tester plugin to perform load
> testing
> > on
> >>>>> remote host, but the remote host keeps sending back
> INVALID_KE_PAYLOAD
> >>>>> message back. When I do a packet capture I see that the DH group for
> key
> >>>>> exchange payload is undefined. I tried setting in the
> load-tester.conf
> > file
> >>>>> esp and proposal to use modp1024, but it doesn't change the key
> exchange
> >>>>> payload DH group at all. Is there a way to set the group in
> load-tester?
> >>>>>
> >>>>> Thanks,
> >>>>> Michael
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at lists.strongswan.org
> >>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>
> >
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWrdqZAAoJEGK31ONirBTGOhAP/0rr7ZcgG4ljSwbRJUtGSQKv
> BwSO069RVcxTKSdV8bwvwL5u7gA1Gkbld1TASArN9auVfMcvmjuW6zlt+QpK9FSV
> o9qvJoPpJTeBTgbRlZmWEXTCr/flLl1Hd5eu4IZ+rG0MxM0GCtxXOBYWPlWNw3j7
> 4lB6mj/hpwnvIW0iu3OvrzuRbvarFf7lKAEDBdZ0AVoiCJFPwj6C/R04K4ouRsav
> 3ldWxh80fGH1WQHTHytEqlBSYBnj2cAcpgKtAiGqZQ7LzMzoCk05WQmJemW5DgEu
> zhrsMIxXlHxf1VjLKJ9zRP6oJIk8ZvDMGg3n84OIpqhJK6gnG+7p4YJCCL4JGQF5
> XyaDwy0DV6vfyiYP3rxCzqbeB7+e7kAKGeDUO+O+DyUTAK+K88SiAdTPL2cGc6sz
> io4JH7jqwnG0gaqkDPpRHkZRa/OJxeu6/p8u5tyMwC0PO1FHEPlkgqCBikXuvAko
> hA2XfvrmSnrPROViR2ujfSjlLqcJ0y0XrG4MrTFF1xFroXIhLsHsUDZ/vIM8lmT4
> pA+DQmNqToQ2m7ashz3fYu6zyPS+PGT9AFiEyqUrNKZ++7lHGW/DvvMomyymHCzb
> x2RoVDa/TMFiTInNfAqCQd0s6DDikfu/MUqGFfDi/4/lGQ9hkABd3bmYst8Wvms8
> bJFLJQSzB3Z0zP+AwUYK
> =48yJ
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160204/34b5b936/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: load-tester.pcap
Type: application/octet-stream
Size: 370 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160204/34b5b936/attachment-0001.obj>


More information about the Users mailing list