Hi Thomas,
I have tried it on a Palo Alto Network FW and got the same result.
Here is the IKE_SA_INIT packet I got from the firewall. From the packet, I
can see that it is sending DH group as undefined in the Key Exchange
section.These are the logs that I see generated from strongswan charon. I have set the default log value to be 3 in filelog section in strongswan.conf file. charon: 07[IKE] initiating IKE_SA load-test[1] to 2.2.2.1 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] charon: 07[NET] sending packet: from 2.2.2.20[500] to 2.2.2.1[500] (288 bytes) charon: 11[CFG] assigning new lease to 'ext-3' charon: 11[CFG] installed load-tester IP 2.2.2.21 on eth1 charon: 11[IKE] initiating IKE_SA load-test[2] to 2.2.2.1 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] charon: 11[NET] sending packet: from 2.2.2.21[500] to 2.2.2.1[500] (288 bytes) charon: 08[NET] received packet: from 2.2.2.1[500] to 2.2.2.20[500] (38 bytes) charon: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] charon: 08[IKE] peer didn't accept DH group MODP_768, it requested MODP_768 charon: 08[DMN] thread 8 received 11 charon: 08[LIB] dumping 12 stack frame addresses: charon: 08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f79582c9000 [0x7f79582d88d0] charon: 08[LIB] -> ??:? charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000 [0x7f7958c961f0] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libstrongswan/networking/packet.c:117 (discriminator 1) charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f795882bf1f] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/tasks/ike_init.c:748 (discriminator 1) charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f795881d8e2] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/task_manager_v2.c:1774 charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f795882c714] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/tasks/ike_init.c:657 charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f795881fdb9] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/sa/ikev2/task_manager_v2.c:664 charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f7958814d57] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/sa/ike_sa.c:1402 charon: 08[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f79587e7000 [0x7f795880dab1] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libcharon/processing/jobs/process_message_job.c:74 charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000 [0x7f7958c9ad93] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libstrongswan/processing/processor.c:235 charon: 08[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f7958c6d000 [0x7f7958caa6d8] charon: 08[LIB] -> /root/strongswan/strongswan-5.3.5/src/libstrongswan/threading/thread.c:304 (discriminator 3) charon: 08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f79582c9000 [0x7f79582d10a4] charon: 08[LIB] -> /build/glibc-Ir_s5K/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2) charon: 08[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f7957d1c000 (clone+0x6d) [0x7f7957e0204d] charon: 08[LIB] -> /build/glibc-Ir_s5K/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113 charon: 08[DMN] killing ourself, received critical signal charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.0.0-kali1-amd64, x86_64) charon: 00[CFG] loaded load-tester address pool 2.2.2.20/24 on eth1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.0.0-kali1-amd64, x86_64) charon: 00[CFG] loaded load-tester address pool 2.2.2.20/24 on eth1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed charon: 00[LIB] loaded plugins: charon aes agent gcm openssl des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve socket-default stroke updown xauth-generic On Sun, Jan 31, 2016 at 1:57 AM, Thomas Egerer <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Michael, > > can you provide the charon load-tester log with facility enc set to log > level 3, see [1], and the pcap file from your cisco device (one IKE_INIT > exchange should do). > > Thomas > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > > On 01/31/2016 09:12 AM, Michael Chan wrote: > > I ran this against a cisco device. I looked at the packet capture and it > > shows that the key exchange DH group is undefined. Has anyone tried with > > load-tester on 5.3.5? > > > > On Sat, Jan 30, 2016 at 2:22 AM, Thomas Egerer <[email protected]> wrote: > > > > Michael, > > > > while unloading the dishwasher I gave your issue another thought ;) > > It seems I have somehow misread your problem. The peer you are trying > > to connect the load tester to, runs which VPN-service? If it is a > > strongwan instance, you should provide the version, log information > > of the IKE negotiation and an output of your config (stroke statusall). > > It seems odd, that the peer does not accept modp 1024 while it request > > this same modp group in the response. > > Does the peer a plugin loaded that provides modp 1024 (gcrypt, gmp, > > openssl)? You should see this in 'stroke listall'. > > > > Cheers, > > Thomas > > > > On 01/30/2016 12:20 AM, Michael Chan wrote: > >>>> I looked at the ike logs and I see the following message > >>>> > >>>> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > >>>> [IKE] peer didn't accept DH group MODP_1024, it requested MODP_1024 > >>>> > >>>> The packet capture shows the DH group is undefined. Is there a > parameter > > to > >>>> set the DH group for the ike key exchange? I have the following > parameter > >>>> in my load-tester.conf file. > >>>> proposal = aes-sha1-modp1024 > >>>> > >>>> > >>>> > >>>> > >>>> On Fri, Jan 29, 2016 at 12:40 PM, Michael Chan <[email protected]> > > wrote: > >>>> > >>>>> Hi, > >>>>> I'm wanting to use the load-tester plugin to perform load > testing > > on > >>>>> remote host, but the remote host keeps sending back > INVALID_KE_PAYLOAD > >>>>> message back. When I do a packet capture I see that the DH group for > key > >>>>> exchange payload is undefined. I tried setting in the > load-tester.conf > > file > >>>>> esp and proposal to use modp1024, but it doesn't change the key > exchange > >>>>> payload DH group at all. Is there a way to set the group in > load-tester? > >>>>> > >>>>> Thanks, > >>>>> Michael > >>>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> Users mailing list > >>>> [email protected] > >>>> https://lists.strongswan.org/mailman/listinfo/users > >>>> > > > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> https://lists.strongswan.org/mailman/listinfo/users > >> > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJWrdqZAAoJEGK31ONirBTGOhAP/0rr7ZcgG4ljSwbRJUtGSQKv > BwSO069RVcxTKSdV8bwvwL5u7gA1Gkbld1TASArN9auVfMcvmjuW6zlt+QpK9FSV > o9qvJoPpJTeBTgbRlZmWEXTCr/flLl1Hd5eu4IZ+rG0MxM0GCtxXOBYWPlWNw3j7 > 4lB6mj/hpwnvIW0iu3OvrzuRbvarFf7lKAEDBdZ0AVoiCJFPwj6C/R04K4ouRsav > 3ldWxh80fGH1WQHTHytEqlBSYBnj2cAcpgKtAiGqZQ7LzMzoCk05WQmJemW5DgEu > zhrsMIxXlHxf1VjLKJ9zRP6oJIk8ZvDMGg3n84OIpqhJK6gnG+7p4YJCCL4JGQF5 > XyaDwy0DV6vfyiYP3rxCzqbeB7+e7kAKGeDUO+O+DyUTAK+K88SiAdTPL2cGc6sz > io4JH7jqwnG0gaqkDPpRHkZRa/OJxeu6/p8u5tyMwC0PO1FHEPlkgqCBikXuvAko > hA2XfvrmSnrPROViR2ujfSjlLqcJ0y0XrG4MrTFF1xFroXIhLsHsUDZ/vIM8lmT4 > pA+DQmNqToQ2m7ashz3fYu6zyPS+PGT9AFiEyqUrNKZ++7lHGW/DvvMomyymHCzb > x2RoVDa/TMFiTInNfAqCQd0s6DDikfu/MUqGFfDi/4/lGQ9hkABd3bmYst8Wvms8 > bJFLJQSzB3Z0zP+AwUYK > =48yJ > -----END PGP SIGNATURE----- >
load-tester.pcap
Description: Binary data
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
