[Swan] Looking for assistance: libreswan pluto 3.15 interop with vxWorks (Interpeak) 6.5 ipsec

Sadler, Jonathan B. jonathan.sadler at coriant.com
Tue Feb 27 16:50:33 UTC 2018


Hello all,

Please point me to a troubleshooting guide if you feel it would help my debugging.

I'm attempting to get a tunnel using IKEv2 and x509 certs established between a linux system with pluto 3.15 and an embedded system using vxWorks 6.5.  I have the certificates incorporated in the NSS database and am having issues getting to phase2.

It looks like Phase 1 successfully negotiates crypto routines but doesn't seem to get through authentication.  Here are relevant lines from /var/log/secure:
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #1: initiating v2 parent SA
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Feb 27 11:32:57 Linux69 pluto[26056]: | Sending [CERT] of certificate: <Cert FQN Redacted>
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
Feb 27 11:32:58 Linux69 pluto[26056]: "target" #2: missing payload(s) (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2IDr+ISAKMP_NEXT_v2AUTH+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr). Message dropped.
Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to 172.23.129.50:500
Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending unencrypted notification v2N_INVALID_MESSAGE_ID to 172.23.129.50:500
...

The vxWorks system is reporting the following in SYSLOG:
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: New exchange started (IKE_SA_INIT with message ID: 0)
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_SA_INIT, #1(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'aes' as encryption algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected '128' as key length
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'sha1' as hash algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'sha1' as integrity algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'modp2048' as DH group description
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Sending message 172.22.103.146[500], (IKE_SA_INIT), #2(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_SA_INIT, #3(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Message 172.22.103.146[500] already processed, (IKE_SA_INIT), #2(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Resending message 172.22.103.146[500], (IKE_AUTH), #2(4), ID 0, 1(5)
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: the payloads extends beyond the end of the ISAKMP package
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: ISAKMP message dropped, error code 20
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #3(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: payload check failed since 53 is an unsupported payload type
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: ipike_policy_select_sa_param: no proposal was accepted
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: ipike_exchange_sa_init_update: Failed to create first child
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Sending message 172.22.103.146[500], (IKE_AUTH), #4(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: New exchange started (IKE_AUTH with message ID: 1)
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 172.22.103.146[500], IKE_AUTH, #1(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Bad exchange identifier, peer probably processed resend message

Here is the config I'm using:
conn target
        type=tunnel
        fragmentation=force
        left=172.22.103.146
        leftcert=TNMS
        leftid=%cert
        leftsendcert=always
        leftsubnet=172.22.103.146/32
        leftrsasigkey=%cert
        right=172.23.129.50
        rightca=%same
        rightrsasigkey=%cert
        authby=rsasig
        auto=start
        ikev2=insist
        ike=aes128-sha1;modp2048
        phase2alg=aes128-sha1
        keyingtries=%forever
        pfs=yes
        auto=start

Any thoughts/pointers provided is appreciated.

Jonathan Sadler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180227/b627840f/attachment.html>


More information about the Swan mailing list