Issue #749
Updated by Tobias Brunner almost 11 years ago
Hi,
My scenario:
left Linux box, Strongswan 5.1.1
right win2008r2
ipsec in transport mode.
I have enrolled certificates using SCEP. When I let left establish the SA, it fails on the quick mode setup.
The error on right is EventID 4654, Audit Failure, No policy configured.
The error on left is INVALID_ID_INFORMATION error notify.
So it looks like the right side for some reason rejects the quick mode request, but why?
The SA is established fine from right to left.
Here is the log:
<pre> @
[root@CPB529 mmcblk0p1]# ipsec start --nofork --debug &
[2] 4919
[root@CPB529 mmcblk0p1]# Starting strongSwan 5.1.1 IPsec [starter]...
Loading config setup
Loading conn %default
Loading conn 'host-host'
modprobe: module 'ah4' not found
modprobe: module 'esp4' not found
modprobe: module 'ipcomp' not found
modprobe: module 'xfrm4_tunnel' not found
modprobe: module 'xfrm_user' not found
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.38, m68k)
00[NET] could not open socket: Address family not supported by protocol
00[NET] could not open IPv6 socket, IPv6 disabled
00[KNL] received netlink error: Address family not supported by protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-2.der'
00[CFG] loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-1.der'
00[CFG] loaded ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" from '/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loaded crl from '/etc/ipsec.d/crls/de1751172869c310e20026d70da8a925a0e4ca3d.crl'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/fccKey.der'
00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (4929) started after 5820 ms
04[CFG] received stroke: add connection 'host-host'
04[CFG] loaded certificate "C=DK, O=Linux, CN=CPB529-2" from 'fccCert.der'
04[CFG] id 'CPB529-2' not confirmed by certificate, defaulting to 'C=DK, O=Linux, CN=CPB529-2'
04[CFG] added configuration 'host-host'
[root@CPB529 mmcblk0p1]# ipsec up host-host
06[CFG] received stroke: initiate 'host-host'
initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
08[IKE] initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
generating ID_PROT request 0 [ SA V V V V ]
08[ENC] generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
08[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
09[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
09[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
received NAT-T (RFC 3947) vendor ID
09[IKE] received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
09[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
09[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
09[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
10[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
10[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
10[IKE] received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
10[IKE] sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
10[IKE] authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
sending end entity cert "C=DK, O=Linux, CN=CPB529-2"
10[IKE] sending end entity cert "C=DK, O=Linux, CN=CPB529-2"
generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
10[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
10[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
14[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
parsed ID_PROT response 0 [ ID CERT SIG ]
14[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net"
14[IKE] received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net"
using certificate "CN=LMH-WIN2008R2DC.lmhlab.net"
14[CFG] using certificate "CN=LMH-WIN2008R2DC.lmhlab.net"
using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net"
14[CFG] checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net"
using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl is stale: since Oct 22 22:33:15 2014
14[CFG] crl is stale: since Oct 22 22:33:15 2014
fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
14[CFG] fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
14[LIB] unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
crl fetching failed
14[CFG] crl fetching failed
fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
14[CFG] fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl is valid: until Oct 23 22:33:16 2014
14[CFG] crl is valid: until Oct 23 22:33:16 2014
certificate status is good
14[CFG] certificate status is good
reached self-signed root ca with a path length of 0
14[CFG] reached self-signed root ca with a path length of 0
authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
14[IKE] authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
14[IKE] IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
scheduling reauthentication in 28507s
14[IKE] scheduling reauthentication in 28507s
maximum IKE_SA lifetime 28687s
14[IKE] maximum IKE_SA lifetime 28687s
generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
14[ENC] generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
14[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
15[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
15[ENC] parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
15[IKE] received INVALID_ID_INFORMATION error notify
establishing connection 'host-host' failed
</pre> @
Next, left accepts the quick mode request and SA is established:
<pre> @
[root@CPB529 mmcblk0p1]# 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (188 bytes)
04[ENC] parsed QUICK_MODE request 2147483648 [ HASH SA No ID ID ]
04[ENC] generating QUICK_MODE response 2147483648 [ HASH SA No ID ID ]
04[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
07[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (60 bytes)
07[ENC] parsed QUICK_MODE request 2147483648 [ HASH ]
07[IKE] CHILD_SA host-host{2} established with SPIs cc4ac50e_i b9696510_o and TS 192.168.0.3/32[icmp] === 192.168.0.2/32[icmp]
</pre> @
The ipsec.conf:
<pre> @
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="dmn 4, ike 5, mgr 4, chd 4, knl 4, net 4, cfg 5"
conn %default
ikelifetime=480m
keylife=60m
rekeymargin=3m
keyingtries=3
keyexchange=ikev1
ike=3des-sha1,3des-sha1-modp1024
esp=3des-sha1!
conn host-host
left=192.168.0.3
leftcert=fccCert.der
leftid=@CPB529-2
right=192.168.0.2
rightid=%any
type=transport
leftauth=pubkey
rightauth=pubkey
compress=no
auto=add
</pre> @
The windows policy has PFS disabled.
What could possibly cause this issue? what parameters could mismatch for the Quick mode request to be rejected?
Thanks and regards,
Lars
My scenario:
left Linux box, Strongswan 5.1.1
right win2008r2
ipsec in transport mode.
I have enrolled certificates using SCEP. When I let left establish the SA, it fails on the quick mode setup.
The error on right is EventID 4654, Audit Failure, No policy configured.
The error on left is INVALID_ID_INFORMATION error notify.
So it looks like the right side for some reason rejects the quick mode request, but why?
The SA is established fine from right to left.
Here is the log:
<pre> @
[root@CPB529 mmcblk0p1]# ipsec start --nofork --debug &
[2] 4919
[root@CPB529 mmcblk0p1]# Starting strongSwan 5.1.1 IPsec [starter]...
Loading config setup
Loading conn %default
Loading conn 'host-host'
modprobe: module 'ah4' not found
modprobe: module 'esp4' not found
modprobe: module 'ipcomp' not found
modprobe: module 'xfrm4_tunnel' not found
modprobe: module 'xfrm_user' not found
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, Linux 2.6.38, m68k)
00[NET] could not open socket: Address family not supported by protocol
00[NET] could not open IPv6 socket, IPv6 disabled
00[KNL] received netlink error: Address family not supported by protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-2.der'
00[CFG] loaded ca certificate "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA" from '/etc/ipsec.d/cacerts/caCert-ra-1.der'
00[CFG] loaded ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA" from '/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loaded crl from '/etc/ipsec.d/crls/de1751172869c310e20026d70da8a925a0e4ca3d.crl'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/fccKey.der'
00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[JOB] spawning 16 worker threads
charon (4929) started after 5820 ms
04[CFG] received stroke: add connection 'host-host'
04[CFG] loaded certificate "C=DK, O=Linux, CN=CPB529-2" from 'fccCert.der'
04[CFG] id 'CPB529-2' not confirmed by certificate, defaulting to 'C=DK, O=Linux, CN=CPB529-2'
04[CFG] added configuration 'host-host'
[root@CPB529 mmcblk0p1]# ipsec up host-host
06[CFG] received stroke: initiate 'host-host'
initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
08[IKE] initiating Main Mode IKE_SA host-host[1] to 192.168.0.2
generating ID_PROT request 0 [ SA V V V V ]
08[ENC] generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
08[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (212 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
09[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
09[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
received NAT-T (RFC 3947) vendor ID
09[IKE] received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
09[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
09[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
09[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (244 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
10[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (339 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
10[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
10[IKE] received cert request for 'DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA'
sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
10[IKE] sending cert request for "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
10[IKE] sending cert request for "C=DK, CN=LMH-WIN2008R2DC-MSCEP-RA"
authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
10[IKE] authentication of 'C=DK, O=Linux, CN=CPB529-2' (myself) successful
sending end entity cert "C=DK, O=Linux, CN=CPB529-2"
10[IKE] sending end entity cert "C=DK, O=Linux, CN=CPB529-2"
generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
10[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
10[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (2092 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
14[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (1876 bytes)
parsed ID_PROT response 0 [ ID CERT SIG ]
14[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net"
14[IKE] received end entity cert "CN=LMH-WIN2008R2DC.lmhlab.net"
using certificate "CN=LMH-WIN2008R2DC.lmhlab.net"
14[CFG] using certificate "CN=LMH-WIN2008R2DC.lmhlab.net"
using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted ca certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net"
14[CFG] checking certificate status of "CN=LMH-WIN2008R2DC.lmhlab.net"
using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl is stale: since Oct 22 22:33:15 2014
14[CFG] crl is stale: since Oct 22 22:33:15 2014
fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
14[CFG] fetching crl from 'ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
14[LIB] unable to fetch from ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
crl fetching failed
14[CFG] crl fetching failed
fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
14[CFG] fetching crl from 'http://lmh-win2008r2dc.lmhlab.net/CertEnroll/LMH-WIN2008R2-CA+.crl' ...
using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] using trusted certificate "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
14[CFG] crl correctly signed by "DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA"
crl is valid: until Oct 23 22:33:16 2014
14[CFG] crl is valid: until Oct 23 22:33:16 2014
certificate status is good
14[CFG] certificate status is good
reached self-signed root ca with a path length of 0
14[CFG] reached self-signed root ca with a path length of 0
authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
14[IKE] authentication of 'CN=LMH-WIN2008R2DC.lmhlab.net' with RSA successful
IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
14[IKE] IKE_SA host-host[1] established between 192.168.0.3[C=DK, O=Linux, CN=CPB529-2]...192.168.0.2[CN=LMH-WIN2008R2DC.lmhlab.net]
scheduling reauthentication in 28507s
14[IKE] scheduling reauthentication in 28507s
maximum IKE_SA lifetime 28687s
14[IKE] maximum IKE_SA lifetime 28687s
generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
14[ENC] generating QUICK_MODE request 3244203380 [ HASH SA No ID ID ]
sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
14[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
15[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (76 bytes)
parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
15[ENC] parsed INFORMATIONAL_V1 request 554710654 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
15[IKE] received INVALID_ID_INFORMATION error notify
establishing connection 'host-host' failed
</pre> @
Next, left accepts the quick mode request and SA is established:
<pre> @
[root@CPB529 mmcblk0p1]# 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (188 bytes)
04[ENC] parsed QUICK_MODE request 2147483648 [ HASH SA No ID ID ]
04[ENC] generating QUICK_MODE response 2147483648 [ HASH SA No ID ID ]
04[NET] sending packet: from 192.168.0.3[500] to 192.168.0.2[500] (164 bytes)
07[NET] received packet: from 192.168.0.2[500] to 192.168.0.3[500] (60 bytes)
07[ENC] parsed QUICK_MODE request 2147483648 [ HASH ]
07[IKE] CHILD_SA host-host{2} established with SPIs cc4ac50e_i b9696510_o and TS 192.168.0.3/32[icmp] === 192.168.0.2/32[icmp]
</pre> @
The ipsec.conf:
<pre> @
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="dmn 4, ike 5, mgr 4, chd 4, knl 4, net 4, cfg 5"
conn %default
ikelifetime=480m
keylife=60m
rekeymargin=3m
keyingtries=3
keyexchange=ikev1
ike=3des-sha1,3des-sha1-modp1024
esp=3des-sha1!
conn host-host
left=192.168.0.3
leftcert=fccCert.der
leftid=@CPB529-2
right=192.168.0.2
rightid=%any
type=transport
leftauth=pubkey
rightauth=pubkey
compress=no
auto=add
</pre> @
The windows policy has PFS disabled.
What could possibly cause this issue? what parameters could mismatch for the Quick mode request to be rejected?
Thanks and regards,
Lars