oad
(39:ISAKMP_NEXT_v2AUTH)
Oct 8 11:04:08.128688: | *emit IKEv2 Authentication Payload:
Oct 8 11:04:08.128694: |auth method: IKEv2_AUTH_RSA (0x1)
Oct 8 11:04:08.128697: | next payload type: saving payload location 'IKEv2
Authentication Payload'.'next payload type'
Oct 8 11:04:08.128818: | private key for cert ipsechost1 not found in
local cache; loading from NSS DB
Oct 8 11:04:08.132511: | emitting 256 raw bytes of rsa signature into
IKEv2 Authentication Payload
Oct 8 11:04:08.132565: | emitting length of IKEv2 Authentication Payload:
264
Oct 8 11:04:08.132619: | next payload type: previous 'IKEv2 Authentication
Payload'.'next payload type' matches 'IKEv2 Security Association Payload'
(33:ISAKMP_NEXT_v2SA)
Oct 8 11:04:08.132835: |IKEv2 transform ID: AUTH_HMAC_SHA2_512_256
(0xe)
Oct 8 11:04:08.132852: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128
(0xc)
Oct 8 11:04:08.132980: |IKEv2 transform ID: AUTH_HMAC_SHA2_512_256
(0xe)
Oct 8 11:04:08.132997: |IKEv2 transform ID: AUTH_HMAC_SHA2_256_128
(0xc)
Oct 8 11:04:08.133097: |IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2)
Oct 8 11:04:08.133277: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct 8 11:04:08.133515: | out calculated auth:
Oct 8 11:04:08.133542: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct 8 11:04:08.133773: | out calculated auth:
Oct 8 11:04:08.133800: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct 8 11:04:08.134027: | out calculated auth:
Oct 8 11:04:08.134054: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct 8 11:04:08.134226: | out calculated auth:
Oct 8 11:04:08.134267: | established-authenticated-ike states: 0
Oct 8 11:04:08.134272: | authenticated-ipsec states: 0
Oct 8 11:04:08.166428: |exchange type: ISAKMP_v2_AUTH (0x23)
Oct 8 11:04:08.166439: | processing version=2.0 packet with exchange
type=ISAKMP_v2_AUTH (35)
Oct 8 11:04:08.166441: | I am receiving an IKEv2 Response ISAKMP_v2_AUTH
Oct 8 11:04:08.166456: | v2 state object #2 found, in STATE_PARENT_I2
Oct 8 11:04:08.166459: | found state #2
Oct 8 11:04:08.166489: | Unpacking clear payload for svm: Initiator:
process INVALID_SYNTAX AUTH notification
Oct 8 11:04:08.166654: | calculated auth: 4a b3 f9 8a 22 3d 39 7d c6 16
5c 1a
Oct 8 11:04:08.166656: | provided auth: 4a b3 f9 8a 22 3d 39 7d c6 16
5c 1a
Oct 8 11:04:08.166659: | authenticator matched
Oct 8 11:04:08.166671: | #2 ikev2 ISAKMP_v2_AUTH decrypt success
Oct 8 11:04:08.166691: |Notify Message Type: v2N_AUTHENTICATION_FAILED
(0x18)
Oct 8 11:04:08.166696: | selected state microcode Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct 8 11:04:08.166701: | calling processor Initiator: process
AUTHENTICATION_FAILED AUTH notification
Oct 8 11:04:08.166706: "private#0.0.0.0/0"[1] ...13.57.200.87 #2: IKE SA
authentication request rejected: AUTHENTICATION_FAILED
Oct 8 11:04:08.166830: | v2 state object #1 found, in STATE_PARENT_I2
Oct 8 11:04:08.166836: | found state #1
Oct 8 11:04:08.166854: | no useful state microcode entry found
Oct 8 11:04:08.166976: | out calculated auth:
Oct 8 11:04:09.025208: | parent_init v2 state object not found
Oct 8 11:04:09.025506: | found policy =
RSASIG+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(private#0.0.0.0/0)
On Mon, Oct 8, 2018 at 12:10 AM Nick Howitt wrote:
> A bit of a sideways jump, but have you done the AWS set up for elastic
> IP's -
> https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
>
> Nick
>
> On 08/10/2018 01:12, rayv33n wrote:
>
>
> Yes, sir. That actually helps me understand and confirm a few things. My
> lab setup has two hosts. Each host is in a different network routed through
> a firewall with no NAT. They work perfectly creating SA and having no
> problems. But when ipsechost01 tries to talk to the AWS instances check out
> ipsechost01 to Thor(AWS). Which is AWS NAT with ipsechost behind a
> firewall, also NAT.
>
> Feel free to give me example configs or anything else you want me to try
> this is all lab stuff and I have time so I can be your lab monkey.
>
> * This is ipsechost01 and ejbca working in OE action*
> 000 #1: "private#0.0.0.0/0"[1] ...192.168.57.3:500 STATE_PARENT_R2
> (received v2I2, PARENT SA established); EVENT_v2_SA_REPLACE_IF_USED_IKE in
> 3328s; newest ISAKMP; idle;
> 000 #2: "private#0.0.0.0/0"[1] ...192.168.57.3:500 STATE_V2_IPSEC_R
> (IPsec SA established); EVENT_v2_SA_REPLACE_IF_USED in 28528s; newest
> IPSEC; eroute owner; isakmp#1; idle;
> 000 #2: "private#0.0.0.0/0"[1] ...192.168.57.3 esp.84f01efa@192.168.57.3
> esp.67e30a4c@192.168.56.109 tun.0@192.168.57.3 tun.0@192.168.56.109 ref=0
> refhim=0 Traffic: ESPin=84B ESPout=84B! ESPmax=0B
> 000
> logs from ejbca with ipsechost01 as source of connection
> Oct 7 17:02:27.658858: | returning