Hi Daniel, Thanks very much. ^______^ we are doing a test with others, so we do not know what kind of security gateway they are using. But i could give you the logs. I am curious that why the third proposal in IKE_SA_INIT message (in the attached wireshark log) has up to 21 Transform Payload. Their security gateway could only accept at most 16 Transform Payload. even if i specify the ike=aes-sha1 and esp=aes-sha1,,,,, the IKE_SA_INIT message still contain up to 21 Transfrom Payload. Attached please find the client wireshark log and the security gateway log. ipsec.pcap is client wireshark log. ipsec_failed.txt are security gateway log. in ipsec_failed.txt, security gateway received up to 21 Transform Payloads from client.
--- 09/11/12 (四),Daniel Mentz <[email protected]> 寫道: 寄件者: Daniel Mentz <[email protected]> 主旨: Re: [strongSwan] When will UNKNOWN -INTEGRITY-ALG occur in IKE_SA_INIT message? 收件者: "Jessie Liu" <[email protected]> 副本: [email protected] 日期: 2009年11月12日,四,下午8:58 I guess that wireshark is not up to date. Integrity Algorithm no 12 is defined in RFC4868 as AUTH_HMAC_SHA2_256_128 The RFC was published in May 2007. I guess this Integrity Algorithm is unknown to wireshark. That's why it displays "UNKOWN-INTEGRITY-ALG". What kind of security gateway are you using? Do you have any log files? Jessie Liu wrote: > Hi all, > I got the problem that client sends IKE_SA_INIT message to security >gateway, but security gateway did not respond. > so i capture the message using ethereal and found that in IKE_SA_INIT >message UNKNOWN -INTEGRITY-ALG occured. even if i specify the encryption and >integirty algorithm in ipsec.conf by using ike=aes_cbc-hmac_sha1_96, UNKNOWN >-INTEGRITY-ALG still appeared in the IKE_SA_INIT message. And this is the >root cause that security gateway did not responed?? and how to remove this? >attached please find the ethereal file. ___________________________________________________ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/
ipsec.pcap
Description: Binary data
INBOUND>>>>> 05:32:32:433 Eventid:122901(3)
IKEv2 Rx PDU, from 124.219.31.188:500 to 203.81.29.91:500 (660)
+ IKE Header Processed-Dump, HBO (Length: 28 (0x1C) bytes)
Initiator SPI (U64): 0x538B5DDC026C3405
Responder SPI (U64): 0x0000000000000000
Next Payload (U08): SA/33 (0x21)
Major Version (U04): 2
Minor Version (U04): 0
XCHG Type (U08): IKE_SA_INIT/34 (0x22)
Reserved (U03): 0
Initiator Flag (U01): Initiator/1 (0x01)
Version Flag (U01): 0
Response Flag (U01): 0
Reserved (U02): 0
MSGID (U32): 0
Length (U32): 660 (0x294) bytes
- IKE Header Raw-Dump, NBO (Length: 28 (0x1C) bytes)
[ 0] 53 8B 5D DC 02 6C 34 05 00 00 00 00 00 00 00 00
[ 16] 21 20 22 08 00 00 00 00 00 00 02 94
+ SA Payload Processed-Dump, HBO (Length: 276 (0x114) bytes)
Next Payload (U08): KE/34 (0x22)
Critical (U01): 0
Reserved (U07): 0
Payload Length (U16): 276 (0x114) bytes
Proposal Substructure:
Last (U08): No/2 (0x02)
Reserved (U08): 0
Proposal Length (U16): 44 (0x2C) bytes
Proposal Number (U08): 1
Protocol ID (U08): IKE/1 (0x01)
SPI Size (U08): 0 (0x0) bytes
Number of Transforms (U08): 4
Transform Header #1
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 12 (0xC) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_AES_CBC/12 (0x000C)
Attribute
Attribute AF (U01): 1
Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14
(0x0E)
Attribute Value (U16): 128 (0x0080)
Transform Header #2
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): AUTH_HMAC_SHA1_96/2 (0x0002)
Transform Header #3
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): PRF/2 (0x02)
Reserved (U08): 0
Transform ID (U16): PRF_HMAC_SHA1/2 (0x0002)
Transform Header #4
Last (U08): Yes/0 (0x00)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): DHGROUP/4 (0x04)
Reserved (U08): 0
Transform ID (U16): DHGROUP_14/14 (0x000E)
Proposal Substructure:
Last (U08): No/2 (0x02)
Reserved (U08): 0
Proposal Length (U16): 40 (0x28) bytes
Proposal Number (U08): 2
Protocol ID (U08): IKE/1 (0x01)
SPI Size (U08): 0 (0x0) bytes
Number of Transforms (U08): 4
Transform Header #1
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_3DES/3 (0x0003)
Transform Header #2
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): AUTH_HMAC_SHA1_96/2 (0x0002)
Transform Header #3
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): PRF/2 (0x02)
Reserved (U08): 0
Transform ID (U16): PRF_HMAC_SHA1/2 (0x0002)
Transform Header #4
Last (U08): Yes/0 (0x00)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): DHGROUP/4 (0x04)
Reserved (U08): 0
Transform ID (U16): DHGROUP_5/5 (0x0005)
Proposal Substructure:
Last (U08): Yes/0 (0x00)
Reserved (U08): 0
Proposal Length (U16): 188 (0xBC) bytes
Proposal Number (U08): 3
Protocol ID (U08): IKE/1 (0x01)
SPI Size (U08): 0 (0x0) bytes
Number of Transforms (U08): 21
Transform Header #1
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 12 (0xC) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_AES_CBC/12 (0x000C)
Attribute
Attribute AF (U01): 1
Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14
(0x0E)
Attribute Value (U16): 128 (0x0080)
Transform Header #2
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 12 (0xC) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_AES_CBC/12 (0x000C)
Attribute
Attribute AF (U01): 1
Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14
(0x0E)
Attribute Value (U16): 192 (0x00C0)
Transform Header #3
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 12 (0xC) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_AES_CBC/12 (0x000C)
Attribute
Attribute AF (U01): 1
Attribute Type (U15): IKEV2_TS_ATTRIBUTE_TYPE_KEY_LENGTH/14
(0x0E)
Attribute Value (U16): 256 (0x0100)
Transform Header #4
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): ENCR/1 (0x01)
Reserved (U08): 0
Transform ID (U16): ENCR_3DES/3 (0x0003)
Transform Header #5
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): AUTH_HMAC_SHA1_96/2 (0x0002)
Transform Header #6
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): UNKNOWN/12 (0x000C)
Transform Header #7
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): AUTH_HMAC_MD5_96/1 (0x0001)
Transform Header #8
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): UNKNOWN/13 (0x000D)
Transform Header #9
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): UNKNOWN/14 (0x000E)
Transform Header #10
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): INTEG/3 (0x03)
Reserved (U08): 0
Transform ID (U16): AUTH_AES_XCBC_96/5 (0x0005)
Transform Header #11
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): PRF/2 (0x02)
Reserved (U08): 0
Transform ID (U16): UNKNOWN/5 (0x0005)
Transform Header #12
Last (U08): No/3 (0x03)
Reserved (U08): 0
Transform Length (U16): 8 (0x8) bytes
Transform Type (U08): PRF/2 (0x02)
Reserved (U08): 0
Transform ID (U16): PRF_HMAC_SHA1/2 (0x0002)
Transform Head- SA Payload Raw-Dump, NBO (Length: 276 (0x114) bytes)
[ 0] 22 00 01 14 02 00 00 2C 01 01 00 04 03 00 00 0C
[ 16] 01 00 00 0C 80 0E 00 80 03 00 00 08 03 00 00 02
[ 32] 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0E
[ 48] 02 00 00 28 02 01 00 04 03 00 00 08 01 00 00 03
[ 64] 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
[ 80] 00 00 00 08 04 00 00 05 00 00 00 BC 03 01 00 15
[ 96] 03 00 00 0C 01 00 00 0C 80 0E 00 80 03 00 00 0C
[ 112] 01 00 00 0C 80 0E 00 C0 03 00 00 0C 01 00 00 0C
[ 128] 80 0E 01 00 03 00 00 08 01 00 00 03 03 00 00 08
[ 144] 03 00 00 02 03 00 00 08 03 00 00 0C 03 00 00 08
[ 160] 03 00 00 01 03 00 00 08 03 00 00 0D 03 00 00 08
[ 176] 03 00 00 0E 03 00 00 08 03 00 00 05 03 00 00 08
[ 192] 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08
[ 208] 02 00 00 01 03 00 00 08 02 00 00 06 03 00 00 08
[ 224] 02 00 00 07 03 00 00 08 02 00 00 04 03 00 00 08
[ 240] 04 00 00 0E 03 00 00 08 04 00 00 05 03 00 00 08
[ 256] 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08
[ 272] 04 00 00 02
+ KE Payload Processed-Dump, HBO (Length: 264 (0x108) bytes)
Next Payload (U08): NONCE/40 (0x28)
Critical (U01): 0
Reserved (U07): 0
Payload Length (U16): 264 (0x108) bytes
DH Group (U16): DHGROUP_14/14 (0x000E)
Reserved (U16): 0
- KE Payload Raw-Dump, NBO (Length: 264 (0x108) bytes)
[ 0] 28 00 01 08 00 0E 00 00 9F 19 9D 40 2B 00 DF D8
[ 16] A9 F8 07 6C 3F B3 1B C4 A1 B7 B5 DE 1E E5 04 32
[ 32] D8 A2 FE EC E4 4C D3 93 B4 B3 F5 13 E1 8D EB F0
[ 48] F0 CA CC 7D 42 7A AB DD E5 69 82 EC E3 F3 4E 68
[ 64] C2 94 A8 90 71 D8 F8 7C F8 C1 53 C0 22 51 40 92
[ 80] C8 4B 5A 05 FC D5 E2 D0 DD EE 60 14 AB 6B C2 3D
[ 96] E9 04 7B B3 77 2C 0D A8 61 F7 77 6D 8A E5 F8 6B
[ 112] 7E 36 C0 FC 13 E3 AA 80 63 86 FD 5D AE 8E A2 84
[ 128] 65 A0 1C 4F 0F 77 00 8A 8C FC DC 99 69 23 41 8D
[ 144] F7 22 1C 00 FC 1F B5 3A DA A4 63 7B C2 7D 37 0E
[ 160] 3A 41 D1 69 6D 39 84 37 3C B7 EB 66 5A 78 5B 54
[ 176] D5 9A 42 A5 FF B4 5D 3B B1 8A D0 0B F0 C1 69 D6
[ 192] 47 56 02 B9 00 83 50 D2 45 22 3B 4D 38 40 84 DC
[ 208] 27 7F 3C 0B E7 11 C3 8E 1D 25 08 DC AA 2A BC 77
[ 224] D9 72 6D AC FD AC DB F5 24 9B 81 CE 57 32 75 CE
[ 240] 2E 2B F3 79 DB 37 31 D4 BF 30 AC 1F 94 A8 5B 2C
[ 256] 53 F9 55 F3 64 91 67 BB
+ NONCE Payload Processed-Dump, HBO (Length: 36 (0x24) bytes)
Next Payload (U08): NOTIFY/41 (0x29)
Critical (U01): 0
Reserved (U07): 0
Payload Length (U16): 36 (0x24) bytes
- NONCE Payload Raw-Dump, NBO (Length: 36 (0x24) bytes)
[ 0] 29 00 00 24 AC 1E 28 EB 39 4D AC B6 32 93 BF 92
[ 16] E1 F9 0E E8 23 73 8F 46 63 E6 21 3A C3 61 BA E3
[ 32] 69 52 99 03
+ NOTIFY Payload Processed-Dump, HBO (Length: 28 (0x1C) bytes)
Next Payload (U08): NOTIFY/41 (0x29)
Critical (U01): 0
Reserved (U07): 0
Payload Length (U16): 28 (0x1C) bytes
Protocol ID (U08): 0/0 (0x00)
SPI Size (U08): 0 (0x0) bytes
Notify Message Type (U16): NAT_DETECTION_SOURCE_IP/16388 (0x4004)
- NOTIFY Payload Raw-Dump, NBO (Length: 28 (0x1C) bytes)
[ 0] 29 00 00 1C 00 00 40 04 E3 03 86 F1 D6 91 69 22
[ 16] 1C 4B FF A5 72 76 4E C2 DE 47 A5 0D
+ NOTIFY Payload Processed-Dump, HBO (Length: 28 (0x1C) bytes)
Next Payload (U08): NO_NEXT_PAYLOAD/0 (0x00)
Critical (U01): 0
Reserved (U07): 0
Payload Length (U16): 28 (0x1C) bytes
Protocol ID (U08): 0/0 (0x00)
SPI Size (U08): 0 (0x0) bytes
Notify Message Type (U16): NAT_DETECTION_DESTINATION_IP/16389 (0x4005)
- NOTIFY Payload Raw-Dump, NBO (Length: 28 (0x1C) bytes)
[ 0] 00 00 00 1C 00 00 40 05 94 6B 7C 6A 18 9B D3 42
[ 16] 90 F8 79 8A 01 A1 38 8F 99 F4 CF 14
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
