[Swan] "responder" response "INVALID_ID_INFORMATION" in "msg 2 of quick mode" in libreswan v3.20

Hao Chen earthlovepython at outlook.com
Fri Dec 29 05:50:28 UTC 2017 

Hi All:

I figured out the question in RFC2409 section 5.5. Sorry for bother you.

"Identification Payload" is optional in "msg 1 in quick mode"( https://tools.ietf.org/html/rfc2409#page-18).<https://tools.ietf.org/html/rfc2409#page-18>

Thanks

________________________________
From: Swan <swan-bounces at lists.libreswan.org> on behalf of Hao Chen <earthlovepython at outlook.com>
Sent: Thursday, December 28, 2017 16:37
To: swan at lists.libreswan.org
Subject: Re: [Swan] "responder" response "INVALID_ID_INFORMATION" in "msg 2 of quick mode" in libreswan v3.20

Hi All:

Can you please answer my questions :
========================================
1). does "ISAKMP Identification Payload" must be present in "msg 1 in quick mode"? See https://tools.ietf.org/html/rfc2409#page-25
2). What is the meaning of "SIT_IDENTITY_ONLY" (https://tools.ietf.org/html/rfc2407#section-4.2.1) ?
    If the bit is set, does it mean "ISAKMP Identification Payload" can re-use "ID payload" in "msg 5 in main mode"?

Thanks


________________________________
From: Swan <swan-bounces at lists.libreswan.org> on behalf of Hao Chen <earthlovepython at outlook.com>
Sent: Wednesday, December 27, 2017 19:54
To: swan at lists.libreswan.org
Subject: [Swan] "responder" response "INVALID_ID_INFORMATION" in "msg 2 of quick mode" in libreswan v3.20

Hi All:

Same configuration file. Works in v3.12, but peer(responder) response us "INVALID_ID_INFORMATION" while we are "initiator" in v3.20.

 Can you please tell me some clue?

Thanks


Message 5 in main mode:
=====================================
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  08 00 00 0c  01 00 00 00  ac 10 a2 39  00 00 00 14
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  80 6a 09 e9  15 72 b4 e6  88 fd ec e0  7e 2b 36 5e
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | IV:  96 65 25 37  52 3a 51 7a  5e 94 a0 69  b4 5e ee 96
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | unpadded size is: 32
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting 32 using OAKLEY_3DES_CBC
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | NSS: do_3des init start
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | NSS: do_3des init end
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | next IV:  3a 9e cd 4f  cb 55 fa 51
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | no IKEv1 message padding required
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Message: 60
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | complete v1 state transition with STF_OK
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: "PGW_ARES_ipsec" #508: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | parent state #508: STATE_MAIN_I2(open-ike) => STATE_MAIN_I3(open-ike)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | sending 60 bytes for STATE_MAIN_I2 through bond.2250:500 to 172.24.252.40:500 (using #508)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   9b 29 c9 1e  65 eb 51 36  7f 42 0c f0  b5 7c fa fb
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   05 10 02 01  00 00 00 00  00 00 00 3c  3d 53 eb 5d
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   91 be 4d cb  a6 5c 9b 4c  97 a1 59 40  88 84 1a 35
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   49 28 d7 cf  3a 9e cd 4f  cb 55 fa 51
====> I can see the "ID" is "ac 10 a2 39", it is IP of "172.16.162.57"

Message 1 in quick mode:
=====================================
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | quick_outI1_continue for #509: calculated ke+nonce, sending I1
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting 16 zero bytes of HASH into ISAKMP Hash Payload
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Hash Payload: 20
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Transform Payload (ESP): 28
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Transform Payload (ESP): 28
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Proposal Payload: 68
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Security Association Payload: 80
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | ***emit ISAKMP Nonce Payload:
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    next payload type: ISAKMP_NEXT_KE (0x4)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | Ni  4b 7e d9 6b  66 5f 1e 9e  df fb 2d 28  6f 76 f1 db
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | Ni  4f 4a 4d f7  69 37 9c 65  19 e5 84 20  b7 da 71 a2
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Nonce Payload: 36
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | wire (crypto helper) group MODP1024 and state group MODP1024 match
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | saving DH priv (local secret) and pub key into state struct
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | ***emit ISAKMP Key Exchange Payload:
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  d5 92 d7 29  6f 86 58 0b  88 f3 33 56  63 dd 3e b3
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  eb 70 00 d0  05 39 cf f7  4b ae 4c 79  ef 35 8c b6
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  6a 51 7b dd  13 5e 3c 2a  83 1e dc 74  ed 9c 47 ab
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  55 9c 66 f1  ee d7 35 08  a4 e6 35 9d  43 5e 11 f5
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  a8 ef ab 0c  fd 22 63 81  02 d0 28 48  7d bd 59 5b
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  ca 28 f7 7a  70 5b ce 4e  54 e7 8e 51  b7 d8 47 cb
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  5d b5 21 af  34 a2 0f c5  d6 10 3c 75  66 ed f1 e7
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | keyex value  b1 11 4e 62  87 37 e5 fa  99 67 42 8d  53 f6 a4 60
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting length of ISAKMP Key Exchange Payload: 132
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  01 00 00 14  a8 f8 0f 87  3c 35 40 61  e1 21 2e db
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  4f 7c 02 db  0a 00 00 50  00 00 00 01  00 00 00 01
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  00 00 00 44  00 03 04 02  46 4c 48 e5  03 00 00 1c
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  00 03 00 00  80 03 00 02  80 04 00 02  80 01 00 01
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  80 02 70 80  80 05 00 01  00 00 00 1c  01 03 00 00
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  80 03 00 02  80 04 00 02  80 01 00 01  80 02 70 80
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  80 05 00 02  04 00 00 24  4b 7e d9 6b  66 5f 1e 9e
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  df fb 2d 28  6f 76 f1 db  4f 4a 4d f7  69 37 9c 65
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  19 e5 84 20  b7 da 71 a2  00 00 00 84  d5 92 d7 29
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  6f 86 58 0b  88 f3 33 56  63 dd 3e b3  eb 70 00 d0
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  05 39 cf f7  4b ae 4c 79  ef 35 8c b6  6a 51 7b dd
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  13 5e 3c 2a  83 1e dc 74  ed 9c 47 ab  55 9c 66 f1
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  ee d7 35 08  a4 e6 35 9d  43 5e 11 f5  a8 ef ab 0c
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  fd 22 63 81  02 d0 28 48  7d bd 59 5b  ca 28 f7 7a
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  70 5b ce 4e  54 e7 8e 51  b7 d8 47 cb  5d b5 21 af
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  34 a2 0f c5  d6 10 3c 75  66 ed f1 e7  b1 11 4e 62
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting:  87 37 e5 fa  99 67 42 8d  53 f6 a4 60
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | IV:  05 0a 7b 98  de 48 59 c1  47 c5 f9 3e  9b 4c 87 ef
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | unpadded size is: 268
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | encrypting 272 using OAKLEY_3DES_CBC

Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | sending 300 bytes for reply packet from quick_outI1 through bond.2250:500 to 172.24.252.40:500 (using #509)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   9b 29 c9 1e  65 eb 51 36  7f 42 0c f0  b5 7c fa fb
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   08 10 20 01  db 65 69 13  00 00 01 2c  53 b2 b7 32
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   6a ff 45 6f  25 24 31 63  bd 99 a4 40  1b 45 3b ef
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   df cc 19 a1  11 6f cf b7  ed a1 3f bf  3a c2 5c ad
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   47 bc 06 2f  30 01 34 48  c9 19 01 55  61 66 00 fc
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   9c 55 68 20  b8 c1 fd 15  a3 9b 91 77  28 21 d7 c6
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   41 6e 8b 49  4c df e7 e9  47 b9 b7 08  bf 32 5b 1c
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   be 6d c9 11  85 89 64 57  11 e1 54 b4  36 b1 64 df
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   46 75 ff e1  3c 85 8e fe  b9 d1 a4 e7  ce f7 61 45
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   d7 9a 19 cb  25 6f f6 d7  d8 23 81 3d  13 30 40 b1
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   1e 63 28 e3  e5 b0 09 0d  89 82 f5 f0  0a 41 83 df
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   e0 7c f3 83  d5 06 33 83  e9 4c a6 70  f9 46 44 d9
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   d3 0f 61 e4  23 fa ef 6c  a1 4b 1e 31  0c 04 b4 13
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   d6 52 07 4c  35 4f b5 88  0a b7 63 6b  f2 a4 e6 3b
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   94 5d d9 d1  ab be 1a e2  ec af 2f 60  97 fb 6a b8
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   0d 01 f6 bd  17 60 83 77  02 38 e8 82  96 0a e5 79
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   a5 f4 f2 c1  19 56 1a 3a  7d 6f 7e 2d  ec de 08 49
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   42 ac b0 a7  03 dc d7 e5  38 b7 db fc  48 4a 81 d0
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   04 80 13 ce  24 34 5a ea  6b ac 8d 9d
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | state #509 requesting EVENT_CRYPTO_FAILED to be deleted
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | delete_pluto_event: release EVENT_CRYPTO_FAILED-pe at 0x55ac546aedb8
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | event_schedule_ms called for about 500 ms
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | event_schedule_tv: new EVENT_v1_RETRANSMIT-pe at 0x55ac54635898
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | event_schedule_tv called for about 0 seconds and change
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | inserting event EVENT_v1_RETRANSMIT, timeout in 0.500000 seconds for #509
response 1 in quick mode:
=====================================
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | *received 76 bytes from 172.24.252.40:500 on bond.2250 (port=500)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   9b 29 c9 1e  65 eb 51 36  7f 42 0c f0  b5 7c fa fb
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   08 10 05 01  08 31 97 4d  00 00 00 4c  25 c3 81 fc
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   04 5d 25 61  34 f7 12 5a  2b 4d 29 99  95 6e b1 0f
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   0c 05 de f8  a6 c6 ec 41  f8 0d 76 3a  7c 7c c7 e5
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   08 91 21 d9  36 c9 81 5f  02 45 6d 41
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | decrypted:
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   0b 00 00 14  91 4e d8 1e  1f df f3 d9  bc 8d 77 ff
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   b5 ed d9 dd  00 00 00 1c  00 00 00 01  03 04 00 12
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |   46 4c 48 e5  80 0c 00 01  00 08 00 04  db 65 69 13
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | next IV:  36 c9 81 5f  02 45 6d 41
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | got payload 0x100  (ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | ***parse ISAKMP Hash Payload:
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    next payload type: ISAKMP_NEXT_N (0xb)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    length: 20 (0x14)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | got payload 0x800  (ISAKMP_NEXT_N) needed: 0x0opt: 0x0
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: | ***parse ISAKMP Notification Payload:
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    length: 28 (0x1c)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    DOI: ISAKMP_DOI_IPSEC (0x1)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    protocol ID: 3 (0x3)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    SPI size: 4 (0x4)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: |    Notify Message Type: INVALID_ID_INFORMATION (0x12)
Dec 14 14:02:08 txwlxtpmf2a pluto[27271]: "PGW_ARES_ipsec" #508: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=28




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171229/dd96df1c/attachment-0001.html>

More information about the Swan mailing list