[Swan] Looking for assistance: libreswan pluto 3.15 interop with vxWorks (Interpeak) 6.5 ipsec

Tue, 27 Feb 2018 08:50:59 -0800 

Hello all,

Please point me to a troubleshooting guide if you feel it would help my 
debugging.

I'm attempting to get a tunnel using IKEv2 and x509 certs established between a 
linux system with pluto 3.15 and an embedded system using vxWorks 6.5.  I have 
the certificates incorporated in the NSS database and am having issues getting 
to phase2.

It looks like Phase 1 successfully negotiates crypto routines but doesn't seem 
to get through authentication.  Here are relevant lines from /var/log/secure:
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #1: initiating v2 parent SA
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #1: STATE_PARENT_I1: sent v2I1, 
expected v2R1
Feb 27 11:32:57 Linux69 pluto[26056]: | Sending [CERT] of certificate: <Cert 
FQN Redacted>
Feb 27 11:32:57 Linux69 pluto[26056]: "target" #2: STATE_PARENT_I2: sent v2I2, 
expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
Feb 27 11:32:58 Linux69 pluto[26056]: "target" #2: missing payload(s) 
(ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2IDr+ISAKMP_NEXT_v2AUTH+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr).
 Message dropped.
Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending 
unencrypted notification v2N_INVALID_MESSAGE_ID to 172.23.129.50:500
Feb 27 11:32:58 Linux69 pluto[26056]: packet from 172.23.129.50:500: sending 
unencrypted notification v2N_INVALID_MESSAGE_ID to 172.23.129.50:500
...

The vxWorks system is reporting the following in SYSLOG:
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: New exchange started 
(IKE_SA_INIT with message ID: 0)
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Received message 
172.22.103.146[500], IKE_SA_INIT, #1(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'aes' as encryption 
algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected '128' as key length
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'sha1' as hash 
algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'sha1' as integrity 
algorithm
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Info: selected 'modp2048' as DH 
group description
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Sending message 
172.22.103.146[500], (IKE_SA_INIT), #2(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Received message 
172.22.103.146[500], IKE_SA_INIT, #3(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Message 172.22.103.146[500] 
already processed, (IKE_SA_INIT), #2(4), ID 0
TUE FEB 27 16:57:19 2018: ipike[57f84540]: Notice: Resending message 
172.22.103.146[500], (IKE_AUTH), #2(4), ID 0, 1(5)
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 
172.22.103.146[500], IKE_AUTH, #3(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: the payloads extends beyond 
the end of the ISAKMP package
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: ISAKMP message dropped, 
error code 20
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 
172.22.103.146[500], IKE_AUTH, #3(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: payload check failed since 53 
is an unsupported payload type
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Warning: 
ipike_policy_select_sa_param: no proposal was accepted
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Error: 
ipike_exchange_sa_init_update: Failed to create first child
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Sending message 
172.22.103.146[500], (IKE_AUTH), #4(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: New exchange started 
(IKE_AUTH with message ID: 1)
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Received message 
172.22.103.146[500], IKE_AUTH, #1(4), ID 1
TUE FEB 27 16:57:20 2018: ipike[57f84540]: Notice: Bad exchange identifier, 
peer probably processed resend message

Here is the config I'm using:
conn target
        type=tunnel
        fragmentation=force
        left=172.22.103.146
        leftcert=TNMS
        leftid=%cert
        leftsendcert=always
        leftsubnet=172.22.103.146/32
        leftrsasigkey=%cert
        right=172.23.129.50
        rightca=%same
        rightrsasigkey=%cert
        authby=rsasig
        auto=start
        ikev2=insist
        ike=aes128-sha1;modp2048
        phase2alg=aes128-sha1
        keyingtries=%forever
        pfs=yes
        auto=start

Any thoughts/pointers provided is appreciated.

Jonathan Sadler


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to