[Swan] Cisco IOS XE Interoperability with Libreswan
Paul Wouters
paul at nohats.ca
Thu Aug 16 21:06:36 UTC 2018
On Thu, 16 Aug 2018, Reuben Farrelly wrote:
> We're getting a little further now, but still not succeeding.
I think the libreswan part is happy, but the Cisco does not seem to like
your IKE_AUTH message. It then restarts with IKE_INIT and instead of
answering it, seem stuck in resending it saying "already in negotiation,
hence not negotiating again"
> Aug 16 18:05:16.759198: | sending 248 bytes for STATE_IKEv2_BASE through
> eth0:500 to 1.144.95.124:585 (using #138)
That's libreswan sending IKE_INIT request
> Aug 16 18:05:18.485488: | *received 366 bytes from 1.144.95.124:585 on eth0
> (port=500)
> Aug 16 18:05:18.485645: | processing: start from 1.144.95.124:585 (in
> process_md() at demux.c:392)
> Aug 16 18:05:18.485654: | **parse ISAKMP Message:
> Aug 16 18:05:18.485659: | initiator cookie:
> Aug 16 18:05:18.485664: | fe e6 d7 65 ca 54 75 3b
> Aug 16 18:05:18.485669: | responder cookie:
> Aug 16 18:05:18.485674: | 00 00 00 00 00 00 00 00
Note responder cookies are 0, so this is a retransmit of the IKE_INIT
> Aug 16 18:05:18.485767: | #138 STATE_PARENT_R1: retransmits: duplicate
> IKE_INIT_I message received, retransmiting previous packet
> Aug 16 18:05:18.485775: | sending 248 bytes for ikev2-responder-retransmit
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)
We detect that and just retransmit the packet.
> IKE_INIT_I message received, retransmiting previous packet
> Aug 16 18:05:22.066917: | sending 248 bytes for ikev2-responder-retransmit
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)
And again...
> Aug 16 18:05:30.075470: | sending 248 bytes for ikev2-responder-retransmit
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)
And again...
> Cisco debugs:
>
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: Aug 16 18:05:02:
> IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 110.232.112.209:500/From
> 10.102.66.94:500/VRF i0:f0]
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: Initiator SPI :
> FEE6D765CA54753B - Responder SPI : 0000000000000000 Message id: 0
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: IKEv2 IKE_SA_INIT Exchange
> REQUEST
Got your IKE_INIT
> Aug 16 18:05:04 lo0.router-2.reub.net router-2: Aug 16 18:05:03: IKEv2:SA is
> already in negotiation, hence not negotiating again
> Aug 16 18:05:32 lo0.router-2.reub.net router-2: Aug 16 18:05:31:
> IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet
I'm really confused about "retransmitting packet" there. Because in IKEv2
only the initiator retransmits. Is the cisco somehow confused about who
initiated this?
Later on I see it do something though
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:Using
> the Default Policy for Proposal
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Found Policy 'default'
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34:
> IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public
> key, DH Group 19
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:(SA ID
> = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34:
> IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:IKEv2
> initiator - no config data to send in IKE_SA_INIT exch
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34:
> IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34:
> IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial
> negotiation),
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Num. transforms: 9
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: AES-CBC SHA512 SHA384
> SHA512 SHA384 DH_GROUP_256_ECP/Group 19
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: DH_GROUP_2048_MODP/Group 14
> DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: Aug 16 18:07:34:
> IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 110.232.112.209:500/From
> 10.102.66.94:500/VRF i0:f0]
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: Initiator SPI :
> B8335E814D8F6500 - Responder SPI : 0000000000000000 Message id: 0
This is a new one the Cisco started, but you didn't show the libreswan
log entry matching these SPIs.
> IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet
But it goes bad again with retransmitting .....
Paul
More information about the Swan
mailing list