Issue #749: Quick mode neg. fails, INVALID_ID_INFORMATION error notify - strongSwan

Issue #749

Quick mode neg. fails, INVALID_ID_INFORMATION error notify

Added by Lars Michael almost 11 years ago. Updated almost 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

configuration

Affected version:

5.1.1

Resolution:

No change required

Description

Hi,

My scenario:
left Linux box, Strongswan 5.1.1
right win2008r2
ipsec in transport mode.

I have enrolled certificates using SCEP. When I let left establish the SA, it fails on the quick mode setup.
The error on right is EventID 4654, Audit Failure, No policy configured.
The error on left is INVALID_ID_INFORMATION error notify.

So it looks like the right side for some reason rejects the quick mode request, but why?

The SA is established fine from right to left.

Here is the log:

[root@CPB529 mmcblk0p1]# ipsec start --nofork --debug &
[2] 4919
[root@CPB529 mmcblk0p1]# Starting strongSwan 5.1.1 IPsec [starter]...
Loading config setup
Loading conn %default
Loading conn 'host-host'
modprobe: module 'ah4' not found
modprobe: module 'esp4' not found
modprobe: module 'ipcomp' not found
modprobe: module 'xfrm4_tunnel' not found
modprobe: module 'xfrm_user' not found
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.38, m68k)
00[NET] could not open socket: Address family not supported by protocol
00[NET] could not open IPv6 socket, IPv6 disabled
00[KNL] received netlink error: Address family not supported by protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-2.der'
00[CFG]   loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-1.der'
00[CFG]   loaded ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" from '/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/de1751172869c310e20026d70da8a925a0e4ca3d.crl'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/fccKey.der'
00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (4929) started after 5820 ms
04[CFG] received stroke: add connection 'host-host'
04[CFG]   loaded certificate "C=DK, O=Linux, CN=CPB529-2" from 'fccCert.der'
04[CFG]   id 'CPB529-2' not confirmed by certificate, defaulting to 'C=DK, O=Linux, CN=CPB529-2'
04[CFG] added configuration 'host-host'

[root@CPB529 mmcblk0p1]# ipsec up host-host
06[CFG] received stroke: initiate 'host-host'
initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
08[IKE] initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
generating ID_PROT request 0 [ SA V V V V ]
08[ENC] generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
08[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
09[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
09[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
received NAT-T (RFC 3947) vendor ID
09[IKE] received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
09[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
09[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
09[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
10[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
10[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
10[IKE] received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
10[IKE] sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" 
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" 
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" 
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" 
authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
10[IKE] authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
sending end entity cert "C=DK, O=Linux, CN=CPB529-2" 
10[IKE] sending end entity cert "C=DK, O=Linux, CN=CPB529-2" 
generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
10[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
10[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
14[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
parsed ID_PROT response 0 [ ID CERT SIG ]
14[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net" 
14[IKE] received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net" 
  using certificate "CN=LMH-WIN2008R2DC.lmhlab.net" 
14[CFG]   using certificate "CN=LMH-WIN2008R2DC.lmhlab.net" 
  using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
14[CFG]   using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net" 
14[CFG] checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net" 
  using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
14[CFG]   using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
  crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
14[CFG]   crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
  crl is stale: since Oct 22 22:33:15 2014
14[CFG]   crl is stale: since Oct 22 22:33:15 2014
  fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
14[CFG]   fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
14[LIB] unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
crl fetching failed
14[CFG] crl fetching failed
  fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
14[CFG]   fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
  using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
14[CFG]   using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
  crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
14[CFG]   crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" 
  crl is valid: until Oct 23 22:33:16 2014
14[CFG]   crl is valid: until Oct 23 22:33:16 2014
certificate status is good
14[CFG] certificate status is good
  reached self-signed root ca with a path length of 0
14[CFG]   reached self-signed root ca with a path length of 0
authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
14[IKE] authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
14[IKE] IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
scheduling reauthentication in 28507s
14[IKE] scheduling reauthentication in 28507s
maximum IKE_SA lifetime 28687s
14[IKE] maximum IKE_SA lifetime 28687s
generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
14[ENC] generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
14[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
15[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
15[ENC] parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
15[IKE] received INVALID_ID_INFORMATION error notify
establishing connection 'host-host' failed

Next, left accepts the quick mode request and SA is established:

[root@CPB529 mmcblk0p1]# 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (188 bytes)
04[ENC] parsed QUICK_MODE request 2147483648 [ HASH SA No ID ID ]
04[ENC] generating QUICK_MODE response 2147483648 [ HASH SA No ID ID ]
04[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
07[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (60 bytes)
07[ENC] parsed QUICK_MODE request 2147483648 [ HASH ]
07[IKE] CHILD_SA host-host{2} established with SPIs cc4ac50e_i b9696510_o and TS 192.168.0.3/32[icmp] === 192.168.0.2/32[icmp]

The ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="dmn 4, ike 5, mgr 4, chd 4, knl 4, net 4, cfg 5" 

conn %default
        ikelifetime=480m
        keylife=60m
        rekeymargin=3m
        keyingtries=3
        keyexchange=ikev1
        ike=3des-sha1,3des-sha1-modp1024
        esp=3des-sha1!

conn host-host
        left=192.168.0.3
        leftcert=fccCert.der
        leftid=@CPB529-2
        right=192.168.0.2
        rightid=%any
        type=transport
        leftauth=pubkey
        rightauth=pubkey
        compress=no
        auto=add

The windows policy has PFS disabled.

What could possibly cause this issue? what parameters could mismatch for the Quick mode request to be rejected?

Thanks and regards,
Lars

History

#1 Updated by Tobias Brunner almost 11 years ago

Description updated (diff)
Status changed from New to Feedback
Assignee set to Tobias Brunner

It looks like the Windows server proposes to tunnel ICMP only:

07[IKE] CHILD_SA host-host{2} established with SPIs cc4ac50e_i b9696510_o and TS 192.168.0.3/32[icmp] === 192.168.0.2/32[icmp]

This works for strongSwan as it allows a smaller traffic selector than configured. But if strongSwan initiates the connection it will propose an SA between the IP addresses without any protocol or port restrictions, so if the policy on the Windows server only allows ICMP traffic this might not work. You can try setting leftsubnet and rightsubnet to %dynamic[icmp].

#2 Updated by Lars Michael almost 11 years ago

Correct, this Windows policy only allows ICMP traffic. I added the leftsubnet, rightsubnet values, and now the connection is established. Thank you.

generating QUICK_MODE request 2001939960 [ HASH SA No ID ID ] 13[ENC] generating QUICK_MODE request 2001939960 [ HASH SA No ID ID ] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes) 13[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes) received packet: from 192.168.0.2[500] to 192.168.0.3[500] (188 bytes) 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (188 bytes) parsed QUICK_MODE response 2001939960 [ HASH SA No ID ID ] 16[ENC] parsed QUICK_MODE response 2001939960 [ HASH SA No ID ID ] connection 'host-host' established successfully 16[IKE] CHILD_SA host-host{1} established with SPIs c9aac02a_i f268a2b9_o and TS 192.168.0.3/32[icmp] === 192.168.0.2/32[icmp] 16[ENC] generating QUICK_MODE request 2001939960 [ HASH ] 16[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (60 bytes) 06[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes) 06[ENC] parsed QUICK_MODE response 2001939960 [ HASH N(INIT_CONTACT) ] 06[IKE] ignoring fourth Quick Mode message

#3 Updated by Tobias Brunner almost 11 years ago

Category set to configuration
Status changed from Feedback to Closed
Resolution set to No change required

Project

General

Profile