[strongSwan] IKE2 4500 Reply Not Making it Out

Info infosec at quantum-equities.com
Sat Mar 24 22:35:00 CET 2018


On 03/23/2018 01:25 PM, Info wrote:
> On 03/23/2018 12:57 PM, Info wrote:
>>
>>>> Is there anything logged by the kernel in its ring buffer?
>>>> And please add the route I previously mentioned. And stop using ifconfig, or generally the net-tools.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>
>> Looks like journalctl is more useful.  Apparently something was wrong
>> with my prior charon.conf setup, so I've merged the two sections into
>> one.
>>
>> Attached.
>>
> "[ENC] fragmented IKE message is too large"
>
> My CA key and machine keys are generated with:
> # strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/CA/private/{CAmachinename}-CAkey.pem
> # strongswan pki --gen --type rsa --outform pem --size 16384 > /etc/pki/ipsec/private/{machineA}-Key.pem
>
> ... and Noel says that's ridiculous. But we all have our peculiar
> ways. G**gle is baffled, but this may have something to do with MTU,
> which is 1500 on the eth0 interface. Cert sizes are ~6043 Bytes and
> for the CA cert 6067. I once tried to set MTU to 9000, but the outside
> interface in the LAN gateway refused anything higher than 1500 (DHCP),
> so that's a problem. Idk whether this is the problem, and if so what
> to do about it?

So my large key/cert size is not the problem.  Same thing happens with
CA key & cert, and machine key & cert for both ends generated to a size
of 4096.

Same 4 attempts, same "fragmented IKE message is too large", same
unresponsiveness.  Must be something else.  Maybe it's haunted.

Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704 bytes)
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]:
172.58.47.30 is initiating an IKE_SA
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: local host
is behind NAT, sending keep alives
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: remote host
is behind NAT
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending
cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 24 14:22:04 cygnus.darkmatter.org charon-systemd[49550]: sending
packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #1 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #2 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #3 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #4 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #5 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #6 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #7 of 8, waiting for complete IKE message
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]
Mar 24 14:22:06 cygnus.darkmatter.org charon-systemd[49550]: fragmented
IKE message is too large
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #1 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #2 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #3 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #4 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #5 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #6 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #7 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #6 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #7 of 8, waiting for complete IKE message
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]
Mar 24 14:22:08 cygnus.darkmatter.org charon-systemd[49550]: fragmented
IKE message is too large
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #1 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #2 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #3 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #4 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #5 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #6 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #7 of 8, waiting for complete IKE message
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]
Mar 24 14:22:11 cygnus.darkmatter.org charon-systemd[49550]: fragmented
IKE message is too large
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(1/8) ]
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #1 of 8, waiting for complete IKE message
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(2/8) ]
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #2 of 8, waiting for complete IKE message
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(3/8) ]
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #3 of 8, waiting for complete IKE message
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(4/8) ]
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #4 of 8, waiting for complete IKE message
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(5/8) ]
Mar 24 14:22:14 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #5 of 8, waiting for complete IKE message
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(6/8) ]
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #6 of 8, waiting for complete IKE message
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1364 bytes)
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(7/8) ]
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received
fragment #7 of 8, waiting for complete IKE message
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[41633] to 192.168.1.16[4500] (1188 bytes)
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_AUTH request 1 [ EF(8/8) ]
Mar 24 14:22:15 cygnus.darkmatter.org charon-systemd[49550]: fragmented
IKE message is too large
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: received
packet: from 172.58.47.30[48368] to 192.168.1.16[500] (704 bytes)
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]:
172.58.47.30 is initiating an IKE_SA
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: local host
is behind NAT, sending keep alives
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: remote host
is behind NAT
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending
cert request for "C=US, O=Quantum CN=aries.darkmatter.org CA"
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 24 14:22:20 cygnus.darkmatter.org charon-systemd[49550]: sending
packet: from 192.168.1.16[500] to 172.58.47.30[48368] (299 bytes)
Mar 24 14:22:24 cygnus.darkmatter.org charon-systemd[49550]: sending
keep alive to 172.58.47.30[41633]
Mar 24 14:22:34 cygnus.darkmatter.org charon-systemd[49550]: deleting
half open IKE_SA with 172.58.47.30 after timeout

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180324/b30dee6a/attachment-0001.html>


More information about the Users mailing list