Hi Richard,
I found the reason for this failure. The only thing from the IKE_AUTH request,
that affects the computation of the AUTH value is the ID as in prf(Sk_px, IDx').
Now I somehow assumed IDx' is just the Identification Data of the IDx payload,
but it's not, IDx' is actually IDType |
Hi Richard,
from the log it looks like the ID is parsed incorrectly (you could increase the
loglevel to see the details):
09[AUD] authentication of '2001:db8:f:1::1f5c57111eaff84b7' with pre-shared key
failed
The reason for this could be an alignment issue in the parser that has been
fixed in
] non-zero reserved fields in IKE_AUTH response.
|
--|
Hi Richard
If we change the reserved fields to to zero for the same given test-case
it works fine.
Would it then be a parse issue?
It could be (the zeroed fields then not affecting the result). It would
really help if you could add enc 3 to charondebug in ipsec.conf and
rerun the failing test. That
-zero reserved fields in IKE_AUTH response.
If we change the reserved fields to to zero for the same given test
Hi Richard,
The trace file is below.
Thanks, but the file seems to be incomplete (e.g. no chunk contents are
listed, IKE_AUTH is never mentioned etc.).
Regards,
Tobias
___
Users mailing list
Users@lists.strongswan.org