Hi,
Thanks for your reply.
I am trying to establish SA between two machines of which one is QNX
machine and the other is Linux machine. I am able to transmit the
IKE_SA_INIT request and response messages from one machine to another
but when IKE_AUTH request is received by any of the machine it says
that the "signature verification failed".
Here are the logs of IKE_AUTH request message sent from QNX machine to
linux machine:-
IKE_AUTH request message sent by QNX machine:-
(gdb) x/208b data.ptr
0x808c7c0: 0x67 0x41 0xc8 0xe9 0xb4 0x1f 0x51 0x61
0x808c7c8: 0x8c 0x41 0xa5 0x41 0x49 0xa0 0x5b 0x21
0x808c7d0: 0x2e 0x20 0x23 0x08 0x00 0x00 0x00 0x01
0x808c7d8: 0x00 0x00 0x00 0xdc 0x23 0x00 0x00 0xc0
0x808c7e0: 0x9f 0x80 0xd5 0x48 0x14 0x85 0x2a 0xe0
0x808c7e8: 0x21 0x5b 0x30 0x68 0xd3 0xf1 0xe6 0xff
0x808c7f0: 0xa4 0x41 0xfa 0x03 0x53 0x6c 0x9a 0xe9
0x808c7f8: 0x55 0xce 0x4b 0x32 0x89 0x04 0x27 0xc3
0x808c800: 0x27 0x08 0x1d 0xf5 0x88 0x2b 0x60 0xd1
0x808c808: 0xc7 0x74 0xe6 0x4e 0x13 0x47 0x06 0xf7
0x808c810: 0xdf 0xfe 0xb8 0x85 0xc1 0x30 0x65 0x91
0x808c818: 0x3e 0xef 0x12 0xce 0xda 0x07 0x7d 0xd6
0x808c820: 0x1a 0x9c 0xfe 0x28 0x84 0x42 0xa8 0x43
0x808c828: 0xd1 0x90 0x09 0xbe 0x2d 0xf3 0x61 0x8a
0x808c830: 0x3c 0xf5 0xa7 0x45 0x45 0x39 0x01 0x1b
0x808c838: 0x80 0x11 0xd5 0x7b 0xad 0x5c 0x09 0xef
0x808c840: 0xd1 0x07 0xab 0x33 0x45 0xd8 0xeb 0x9c
0x808c848: 0xe1 0xb3 0xc0 0xe8 0x83 0xb1 0x01 0x1f
0x808c850: 0x87 0xec 0xe8 0x19 0xeb 0xec 0xa3 0xf1
0x808c858: 0x78 0x57 0xa7 0x1b 0xfb 0x0b 0xba 0x2b
0x808c860: 0xce 0x0c 0xb4 0x63 0xd6 0xc0 0x46 0xa8
0x808c868: 0x89 0x06 0xec 0x16 0x8a 0xf5 0x16 0x2c
0x808c870: 0xf4 0xeb 0xb1 0xa0 0x64 0x07 0xc6 0x9b
0x808c878: 0x29 0x24 0x23 0xe8 0x35 0xcf 0xca 0x79
0x808c880: 0xd5 0x5a 0x2f 0x7e 0x7d 0x24 0x8d 0x7b
0x808c888: 0x08 0x56 0x0f 0xf8 0x59 0x99 0xe6 0xfc
signature sent from QNX machine to the linux machine in the IKE_AUTH message:-
(gdb) x/12b signature.ptr
0x808c890: 0xe7 0x53 0xd3 0x87 0x8b 0x16 0xe2 0xda
0x808c898: 0x65 0x23 0xe3 0x45
Here's the log on the Linux machine of the IKE_AUTH request received
from QNX machine:-
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] received IPv4 packet => 252
bytes @ 0xb5553e04
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 0: 45 00 00 FC 0B 1C 00
00 40 11 B6 62 0A 76 D1 BA e.......@..b.v..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 16: 0A 76 D1 CC 11 94 11
94 00 E8 63 47 00 00 00 00 .v........cG....
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 32: 67 41 C8 E9 B4 1F 51
61 8C 41 A5 41 49 A0 5B 21 gA....Qa.A.AI.[!
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 48: 2E 20 23 08 00 00 00
01 00 00 00 DC 23 00 00 C0 . #.........#...
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 64: 9F 80 D5 48 14 85 2A
E0 21 5B 30 68 D3 F1 E6 FF ...H..*.![0h....
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 80: A4 41 FA 03 53 6C 9A
E9 55 CE 4B 32 89 04 27 C3 .A..Sl..U.K2..'.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 96: 27 08 1D F5 88 2B 60
D1 C7 74 E6 4E 13 47 06 F7 '....+`..t.N.G..
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 112: DF FE B8 85 C1 30 65
91 3E EF 12 CE DA 07 7D D6 .....0e.>.....}.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 128: 1A 9C FE 28 84 42 A8
43 D1 90 09 BE 2D F3 61 8A ...(.B.C....-.a.
Sep 3 00:00:21 ggn-pg-001 charon: 07[NET] 144: 3C F5 A7 45 45 39 01
1B 80 11 D5 7B AD 5C 09 EF <..EE9.....{.\..
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 160: D1 07 AB 33 45 D8 EB
9C E1 B3 C0 E8 83 B1 01 1F ...3E...........
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 176: 87 EC E8 19 EB EC A3
F1 78 57 A7 1B FB 0B BA 2B ........xW.....+
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 192: CE 0C B4 63 D6 C0 46
A8 89 06 EC 16 8A F5 16 2C ...c..F........,
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 208: F4 EB B1 A0 64 07 C6
9B 29 24 23 E8 35 CF CA 79 ....d...)$#.5..y
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 224: D5 5A 2F 7E 7D 24 8D
7B 08 56 0F F8 59 99 E6 FC .Z/~}$.{.V..Y...
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] 240: E7 53 D3 87 8B 16 E2
DA 65 23 E3 45 .S......e#.E
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] received packet: from
10.118.209.186[4500] to 10.118.209.204[4500]
Sep 3 00:00:23 ggn-pg-001 charon: 07[NET] waiting for data on raw sockets
Sep 3 00:00:23 ggn-pg-001 charon: 09[MGR] ignoring request with ID 1,
already processing
Sep 3 01:45:46 ggn-pg-001 charon: 08[ENC] signature verification failed
Sep 3 01:45:46 ggn-pg-001 charon: 08[ENC] encryption payload signature invalid
Sep 3 01:45:46 ggn-pg-001 charon: 08[ENC] could not decrypt payloads
Sep 3 01:45:46 ggn-pg-001 charon: 08[IKE] integrity check failed
Sep 3 01:45:46 ggn-pg-001 charon: 08[IKE] IKE_AUTH request with
message ID 1 processing failed
As we see the IKE_AUTH request message received is correct but still
its signature verification is failed. When i go through the code I
found out that it calculates the mac of the whole IKE_AUTH message and
compares it with the signature i.e. integrity checksum. So I was
wondering why this comparison is failing?
I am using PSK on both sides which I have checked is correct.
So If you can help me in finding out or giving a hint that what is
wrong at the time of signature verification?
Is there a problem of endianness?
Thanks & Regards,
Vivek
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
