[Swan] Cisco IOS XE Interoperability with Libreswan

Paul Wouters paul at nohats.ca
Thu Aug 16 21:06:36 UTC 2018 

On Thu, 16 Aug 2018, Reuben Farrelly wrote:

> We're getting a little further now, but still not succeeding.

I think the libreswan part is happy, but the Cisco does not seem to like
your IKE_AUTH message. It then restarts with IKE_INIT and instead of
answering it, seem stuck in resending it saying "already in negotiation,
hence not negotiating again"

> Aug 16 18:05:16.759198: | sending 248 bytes for STATE_IKEv2_BASE through 
> eth0:500 to 1.144.95.124:585 (using #138)

That's libreswan sending IKE_INIT request

> Aug 16 18:05:18.485488: | *received 366 bytes from 1.144.95.124:585 on eth0 
> (port=500)

> Aug 16 18:05:18.485645: | processing: start from 1.144.95.124:585 (in 
> process_md() at demux.c:392)
> Aug 16 18:05:18.485654: | **parse ISAKMP Message:
> Aug 16 18:05:18.485659: |    initiator cookie:
> Aug 16 18:05:18.485664: |   fe e6 d7 65  ca 54 75 3b
> Aug 16 18:05:18.485669: |    responder cookie:
> Aug 16 18:05:18.485674: |   00 00 00 00  00 00 00 00

Note responder cookies are 0, so this is a retransmit of the IKE_INIT

> Aug 16 18:05:18.485767: | #138 STATE_PARENT_R1: retransmits: duplicate 
> IKE_INIT_I message received, retransmiting previous packet
> Aug 16 18:05:18.485775: | sending 248 bytes for ikev2-responder-retransmit 
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)

We detect that and just retransmit the packet.

> IKE_INIT_I message received, retransmiting previous packet
> Aug 16 18:05:22.066917: | sending 248 bytes for ikev2-responder-retransmit 
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)

And again...

> Aug 16 18:05:30.075470: | sending 248 bytes for ikev2-responder-retransmit 
> IKE_SA_INIT through eth0:500 to 1.144.95.124:585 (using #138)

And again...

> Cisco debugs:
>
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: Aug 16 18:05:02: 
> IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 110.232.112.209:500/From 
> 10.102.66.94:500/VRF i0:f0]
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: Initiator SPI : 
> FEE6D765CA54753B - Responder SPI : 0000000000000000 Message id: 0
> Aug 16 18:05:03 lo0.router-2.reub.net router-2: IKEv2 IKE_SA_INIT Exchange 
> REQUEST

Got your IKE_INIT

> Aug 16 18:05:04 lo0.router-2.reub.net router-2: Aug 16 18:05:03: IKEv2:SA is 
> already in negotiation, hence not negotiating again
> Aug 16 18:05:32 lo0.router-2.reub.net router-2: Aug 16 18:05:31: 
> IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

I'm really confused about "retransmitting packet" there. Because in IKEv2
only the initiator retransmits. Is the cisco somehow confused about who
initiated this?


Later on I see it do something though

> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:Using 
> the Default Policy for Proposal
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Found Policy 'default'
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: 
> IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public 
> key, DH Group 19
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:(SA ID 
> = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: 
> IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: IKEv2:IKEv2 
> initiator - no config data to send in IKE_SA_INIT exch
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: 
> IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Aug 16 18:07:34: 
> IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial 
> negotiation),
> Aug 16 18:07:34 lo0.router-2.reub.net router-2: Num. transforms: 9
> Aug 16 18:07:34 lo0.router-2.reub.net router-2:    AES-CBC   SHA512 SHA384 
> SHA512   SHA384   DH_GROUP_256_ECP/Group 19
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: DH_GROUP_2048_MODP/Group 14 
> DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: Aug 16 18:07:34: 
> IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 110.232.112.209:500/From 
> 10.102.66.94:500/VRF i0:f0]
> Aug 16 18:07:35 lo0.router-2.reub.net router-2: Initiator SPI : 
> B8335E814D8F6500 - Responder SPI : 0000000000000000 Message id: 0

This is a new one the Cisco started, but you didn't show the libreswan
log entry matching these SPIs.

> IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

But it goes bad again with retransmitting .....

Paul

More information about the Swan mailing list