[strongSwan] Signature verification failed
Hi, Thanks for your reply. I am trying to establish SA between two machines of which one is QNX machine and the other is Linux machine. I am able to transmit the IKE_SA_INIT request and response messages from one machine to another but when IKE_AUTH request is received by any of the machine it says that the signature verification failed. Here are the logs of IKE_AUTH request message sent from QNX machine to linux machine:- IKE_AUTH request message sent by QNX machine:- (gdb) x/208b data.ptr 0x808c7c0: 0x670x410xc80xe90xb40x1f0x510x61 0x808c7c8: 0x8c0x410xa50x410x490xa00x5b0x21 0x808c7d0: 0x2e0x200x230x080x000x000x000x01 0x808c7d8: 0x000x000x000xdc0x230x000x000xc0 0x808c7e0: 0x9f0x800xd50x480x140x850x2a0xe0 0x808c7e8: 0x210x5b0x300x680xd30xf10xe60xff 0x808c7f0: 0xa40x410xfa0x030x530x6c0x9a0xe9 0x808c7f8: 0x550xce0x4b0x320x890x040x270xc3 0x808c800: 0x270x080x1d0xf50x880x2b0x600xd1 0x808c808: 0xc70x740xe60x4e0x130x470x060xf7 0x808c810: 0xdf0xfe0xb80x850xc10x300x650x91 0x808c818: 0x3e0xef0x120xce0xda0x070x7d0xd6 0x808c820: 0x1a0x9c0xfe0x280x840x420xa80x43 0x808c828: 0xd10x900x090xbe0x2d0xf30x610x8a 0x808c830: 0x3c0xf50xa70x450x450x390x010x1b 0x808c838: 0x800x110xd50x7b0xad0x5c0x090xef 0x808c840: 0xd10x070xab0x330x450xd80xeb0x9c 0x808c848: 0xe10xb30xc00xe80x830xb10x010x1f 0x808c850: 0x870xec0xe80x190xeb0xec0xa30xf1 0x808c858: 0x780x570xa70x1b0xfb0x0b0xba0x2b 0x808c860: 0xce0x0c0xb40x630xd60xc00x460xa8 0x808c868: 0x890x060xec0x160x8a0xf50x160x2c 0x808c870: 0xf40xeb0xb10xa00x640x070xc60x9b 0x808c878: 0x290x240x230xe80x350xcf0xca0x79 0x808c880: 0xd50x5a0x2f0x7e0x7d0x240x8d0x7b 0x808c888: 0x080x560x0f0xf80x590x990xe60xfc signature sent from QNX machine to the linux machine in the IKE_AUTH message:- (gdb) x/12b signature.ptr 0x808c890: 0xe70x530xd30x870x8b0x160xe20xda 0x808c898: 0x650x230xe30x45 Here's the log on the Linux machine of the IKE_AUTH request received from QNX machine:- Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet = 252 bytes @ 0xb5553e04 Sep 3 00:00:21 ggn-pg-001 charon: 07[NET]0: 45 00 00 FC 0B 1C 00 00 40 11 B6 62 0A 76 D1 BA e...@..b.v.. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 16: 0A 76 D1 CC 11 94 11 94 00 E8 63 47 00 00 00 00 .vcG Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 32: 67 41 C8 E9 B4 1F 51 61 8C 41 A5 41 49 A0 5B 21 gAQa.A.AI.[! Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 48: 2E 20 23 08 00 00 00 01 00 00 00 DC 23 00 00 C0 . #.#... Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 64: 9F 80 D5 48 14 85 2A E0 21 5B 30 68 D3 F1 E6 FF ...H..*.![0h Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 80: A4 41 FA 03 53 6C 9A E9 55 CE 4B 32 89 04 27 C3 .A..Sl..U.K2..'. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 96: 27 08 1D F5 88 2B 60 D1 C7 74 E6 4E 13 47 06 F7 '+`..t.N.G.. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 112: DF FE B8 85 C1 30 65 91 3E EF 12 CE DA 07 7D D6 .0e..}. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 128: 1A 9C FE 28 84 42 A8 43 D1 90 09 BE 2D F3 61 8A ...(.B.C-.a. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 144: 3C F5 A7 45 45 39 01 1B 80 11 D5 7B AD 5C 09 EF ..EE9.{.\.. Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 160: D1 07 AB 33 45 D8 EB 9C E1 B3 C0 E8 83 B1 01 1F ...3E... Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 176: 87 EC E8 19 EB EC A3 F1 78 57 A7 1B FB 0B BA 2B xW.+ Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 192: CE 0C B4 63 D6 C0 46 A8 89 06 EC 16 8A F5 16 2C ...c..F, Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 208: F4 EB B1 A0 64 07 C6 9B 29 24 23 E8 35 CF CA 79 d...)$#.5..y Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 224: D5 5A 2F 7E 7D 24 8D 7B 08 56 0F F8 59 99 E6 FC .Z/~}$.{.V..Y... Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 240: E7 53 D3 87 8B 16 E2 DA 65 23 E3 45 .S..e#.E Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] received packet: from 10.118.209.186[4500] to 10.118.209.204[4500] Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] waiting for data on raw sockets Sep 3
Re: [strongSwan] Signature verification failed
Hi, I just got the solution of my problem. Its actually the problem of endianness as the endianness is not getting set in the sha1_hasher.c and also the code on qnx is compiled using armbe which is big endian. So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the authentication is successful. But now I am getting a new error, as soon as the CHILD_SA is created the linux machine sends a delete request for the CHILD_SA to the qnx machine. I don't know why this is happening. My ikeliftime, keylife and rekeymargin are all in hours so how could this happen. Can you tell me or give a possible condition because of which this is happening and ofcourse if possible a solution also? Thanks Regards, Vivek On 9/3/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, Thanks for your reply. I am trying to establish SA between two machines of which one is QNX machine and the other is Linux machine. I am able to transmit the IKE_SA_INIT request and response messages from one machine to another but when IKE_AUTH request is received by any of the machine it says that the signature verification failed. Here are the logs of IKE_AUTH request message sent from QNX machine to linux machine:- IKE_AUTH request message sent by QNX machine:- (gdb) x/208b data.ptr 0x808c7c0: 0x670x410xc80xe90xb40x1f0x51 0x61 0x808c7c8: 0x8c0x410xa50x410x490xa00x5b 0x21 0x808c7d0: 0x2e0x200x230x080x000x000x00 0x01 0x808c7d8: 0x000x000x000xdc0x230x000x00 0xc0 0x808c7e0: 0x9f0x800xd50x480x140x850x2a 0xe0 0x808c7e8: 0x210x5b0x300x680xd30xf10xe6 0xff 0x808c7f0: 0xa40x410xfa0x030x530x6c0x9a 0xe9 0x808c7f8: 0x550xce0x4b0x320x890x040x27 0xc3 0x808c800: 0x270x080x1d0xf50x880x2b0x60 0xd1 0x808c808: 0xc70x740xe60x4e0x130x470x06 0xf7 0x808c810: 0xdf0xfe0xb80x850xc10x300x65 0x91 0x808c818: 0x3e0xef0x120xce0xda0x070x7d 0xd6 0x808c820: 0x1a0x9c0xfe0x280x840x420xa8 0x43 0x808c828: 0xd10x900x090xbe0x2d0xf30x61 0x8a 0x808c830: 0x3c0xf50xa70x450x450x390x01 0x1b 0x808c838: 0x800x110xd50x7b0xad0x5c0x09 0xef 0x808c840: 0xd10x070xab0x330x450xd80xeb 0x9c 0x808c848: 0xe10xb30xc00xe80x830xb10x01 0x1f 0x808c850: 0x870xec0xe80x190xeb0xec0xa3 0xf1 0x808c858: 0x780x570xa70x1b0xfb0x0b0xba 0x2b 0x808c860: 0xce0x0c0xb40x630xd60xc00x46 0xa8 0x808c868: 0x890x060xec0x160x8a0xf50x16 0x2c 0x808c870: 0xf40xeb0xb10xa00x640x070xc6 0x9b 0x808c878: 0x290x240x230xe80x350xcf0xca 0x79 0x808c880: 0xd50x5a0x2f0x7e0x7d0x240x8d 0x7b 0x808c888: 0x080x560x0f0xf80x590x990xe6 0xfc signature sent from QNX machine to the linux machine in the IKE_AUTH message:- (gdb) x/12b signature.ptr 0x808c890: 0xe70x530xd30x870x8b0x160xe2 0xda 0x808c898: 0x650x230xe30x45 Here's the log on the Linux machine of the IKE_AUTH request received from QNX machine:- Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet = 252 bytes @ 0xb5553e04 Sep 3 00:00:21 ggn-pg-001 charon: 07[NET]0: 45 00 00 FC 0B 1C 00 00 40 11 B6 62 0A 76 D1 BA e...@..b.v.. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 16: 0A 76 D1 CC 11 94 11 94 00 E8 63 47 00 00 00 00 .vcG Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 32: 67 41 C8 E9 B4 1F 51 61 8C 41 A5 41 49 A0 5B 21 gAQa.A.AI.[! Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 48: 2E 20 23 08 00 00 00 01 00 00 00 DC 23 00 00 C0 . #.#... Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 64: 9F 80 D5 48 14 85 2A E0 21 5B 30 68 D3 F1 E6 FF ...H..*.![0h Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 80: A4 41 FA 03 53 6C 9A E9 55 CE 4B 32 89 04 27 C3 .A..Sl..U.K2..'. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 96: 27 08 1D F5 88 2B 60 D1 C7 74 E6 4E 13 47 06 F7 '+`..t.N.G.. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 112: DF FE B8 85 C1 30 65 91 3E EF 12 CE DA 07 7D D6 .0e..}. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 128: 1A 9C FE 28 84 42 A8 43 D1 90 09 BE 2D F3 61 8A ...(.B.C-.a. Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 144: 3C F5 A7 45 45 39 01 1B 80 11 D5 7B AD 5C 09 EF ..EE9.{.\.. Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 160: D1 07 AB 33 45 D8 EB 9C E1 B3 C0 E8 83 B1 01 1F
Re: [strongSwan] Signature verification failed
Hi Vivek, could you send a log file generated with the options charondebug=chd 2, knl2 on the linux machine so the reason for the delete becomes apparent. Regards Andreas vivek bairathi wrote: Hi, I just got the solution of my problem. Its actually the problem of endianness as the endianness is not getting set in the sha1_hasher.c and also the code on qnx is compiled using armbe which is big endian. So I just set the BIG_ENDIAN in the sha1_hasher.c and finally the authentication is successful. But now I am getting a new error, as soon as the CHILD_SA is created the linux machine sends a delete request for the CHILD_SA to the qnx machine. I don't know why this is happening. My ikeliftime, keylife and rekeymargin are all in hours so how could this happen. Can you tell me or give a possible condition because of which this is happening and ofcourse if possible a solution also? Thanks Regards, Vivek == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users