[Swan] My test in aggressive mode running Shrew VPN client

Philippe Vouters philippe.vouters at laposte.net
Wed Jan 23 01:53:26 EET 2013 

Dear Elison,

I am running the configuration I fully describe at 
http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-VPN-Testing_PAM_XAUTH_DHCP_with_Shrew.html. 
Precisely "dhcp over ipsec" + Mutual RSA + XAUTH.

The only two differences with what I actually run and what I describe 
are plutodebug=control to best match your Libreswan traces and 
xauthby=file to take into account a change I recently brought to XAUTH. 
I detail the relevant steps of Libreswan which show how and when we 
match and how and when we no longer match.

Your Libreswan trace show:
Jan 22 18:00:03 elisonniven pluto[24093]: "jun" #3: STATE_AGGR_R1: sent 
AR1, expecting AI2
Jan 22 18:00:03 elisonniven pluto[24093]: | modecfg pull: noquirk 
policy:push not-client
Jan 22 18:00:03 elisonniven pluto[24093]: | phase 1 is done, looking for 
phase 2 to unpend
Jan 22 18:00:03 elisonniven pluto[24093]: | complete state transition 
with STF_INLINE
Jan 22 18:00:03 elisonniven pluto[24093]: | complete state transition 
with STF_INLINE
Jan 22 18:00:03 elisonniven pluto[24093]: | * processed 0 messages from 
cryptographic helpers


My Libreswan trace show:
Jan 23 00:20:05 victor pluto[11580]: "Vladimir_RSA_XAuth_DHCP"[1] 
192.168.1.5 #1: STATE_AGGR_R1: sent AR1, expecting AI2
Jan 23 00:20:05 victor pluto[11580]: | modecfg pull: quirk-poll 
policy:push not-client
Jan 23 00:20:05 victor pluto[11580]: | phase 1 is done, looking for 
phase 2 to unpend
Jan 23 00:20:05 victor pluto[11580]: | complete state transition with 
STF_INLINE
Jan 23 00:20:05 victor pluto[11580]: | complete state transition with 
STF_INLINE
Jan 23 00:20:05 victor pluto[11580]: | * processed 0 messages from 
cryptographic helpers

So far match.

Your Libreswan trace:

Jan 22 18:00:03 elisonniven pluto[24093]: | *received 100 bytes from 
10.103.2.75:500 on p18p1 (port=500)
Jan 22 18:00:03 elisonniven pluto[24093]: |  processing version=1.0 
packet with exchange type=ISAKMP_XCHG_AGGR (4)
Jan 22 18:00:03 elisonniven pluto[24093]: | ICOOKIE:  77 69 66 f7 66 35 
b1 a7
Jan 22 18:00:03 elisonniven pluto[24093]: | RCOOKIE:  b3 ec 0a ee 8c 8d 
52 1d
Jan 22 18:00:03 elisonniven pluto[24093]: | state hash entry 9
Jan 22 18:00:03 elisonniven pluto[24093]: | v1 peer and cookies match on 
#3, provided msgid 00000000 vs 00000000
Jan 22 18:00:03 elisonniven pluto[24093]: | v1 state object #3 found, in 
STATE_AGGR_R1
Jan 22 18:00:03 elisonniven pluto[24093]: | processing connection jun
Jan 22 18:00:03 elisonniven pluto[24093]: "jun" #3: packet rejected: 
should have been encrypted
Jan 22 18:00:03 elisonniven pluto[24093]: "jun" #3: sending notification 
INVALID_FLAGS to 10.103.2.75:500
Jan 22 18:00:03 elisonniven pluto[24093]: | sending 40 bytes for 
notification packet through p18p1:500 to 10.103.2.75:500 (using #3)
Jan 22 18:00:03 elisonniven pluto[24093]: | * processed 0 messages from 
cryptographic helpers


My Libreswan trace:
Jan 23 00:20:05 victor pluto[11580]: | *received 1404 bytes from 
192.168.1.5:500 on eth0 (port=500)
Jan 23 00:20:05 victor pluto[11580]: |  processing version=1.0 packet 
with exchange type=ISAKMP_XCHG_AGGR (4)
Jan 23 00:20:05 victor pluto[11580]: | ICOOKIE:  72 51 cf 9d  58 29 41 16
Jan 23 00:20:05 victor pluto[11580]: | RCOOKIE:  e8 53 b4 1a  01 66 8c df
Jan 23 00:20:05 victor pluto[11580]: | state hash entry 4
Jan 23 00:20:05 victor pluto[11580]: | v1 peer and cookies match on #1, 
provided msgid 00000000 vs 00000000
Jan 23 00:20:05 victor pluto[11580]: | v1 state object #1 found, in 
STATE_AGGR_R1
Jan 23 00:20:05 victor pluto[11580]: | processing connection 
Vladimir_RSA_XAuth_DHCP[1] 192.168.1.5

In summary I cannot get your error sequence with Sghrew VPN Client.
Your error sequence is:
Jan 22 18:00:03 elisonniven pluto[24093]: "jun" #3: packet rejected: 
should have been encrypted
Jan 22 18:00:03 elisonniven pluto[24093]: "jun" #3: sending notification 
INVALID_FLAGS to 10.103.2.75:500
Jan 22 18:00:03 elisonniven pluto[24093]: | sending 40 bytes for 
notification packet through p18p1:500 to 10.103.2.75:500 (using #3)

As a possible conclusion there is either a Netscreen configuration 
mismatch with Libreswan or more likely another bug inside Netscreen.

-- 
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

More information about the Swan mailing list