>Synopsis: iked: Cannot send requests after rekeying IKE SA
>Category: system
>Environment:
System : OpenBSD 6.0
Details : OpenBSD 6.0-current (LOCAL) #0: Mon Oct 24 10:01:22 CEST
2016
t...@openbsd.my.domain:/usr/src/sys/arch/amd64/compile/LOCAL
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
If iked is configured to rekey the IKE SA (ikelifetime option),
sending requests ends up broken after the first rekeying. Messages
like "ikev2_msg_send: CREATE_CHILD_SA request from any to any msgid 0,
432 bytes" (second rekeying attempt, see log below) indicate that the
local and remote addresses of the new IKE SA are not intialized
correctly. Despite this, iked can respond to requests from the peer.
>How-To-Repeat:
1. Configure iked as a responder with ikelifetime > 0. The very short
value in the example iked.conf below (10 seconds) is chosen to make
reproduction fast.
2. Start iked with this configuration. The log below was created using
"iked -dvv".
3. Initiate an IKE SA from a suitable peer and wait for rekeying to
happen. I've used the Strongswan conftest framework with a
configuration that closes the IKE SA after 120 seconds, note that the
DELETE message is processed correctly.
>Fix:
Unknown.
iked.conf:
ikev2 "test" passive ipcomp esp from 172.25.128.5/32 to 172.24.2.42/32 \
peer any \
ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
childsa enc aes-256 auth hmac-sha1 group modp2048 \
srcid "/CN=ike-test.example.com/C=DE" \
ikelifetime 10
iked log:
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ikev2 "test" passive esp from 172.25.128.5/32 to 172.24.2.42/32 local any peer
any ikesa enc aes-256 prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256 group
modp2048 childsa enc aes-256 auth hmac-sha1 group modp2048 srcid
/CN=ike-test.example.com/C=DE ikelifetime 10 lifetime 10800 bytes 536870912 rsa
iked.conf: loaded 1 configuration rules
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
ca_reload: loaded ca file x509.pem
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: /CN=Testing Authority
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file ike-test.pem
ca_validate_cert: /CN=ike-test.example.com/C=DE ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator 172.24.2.42:500 to
172.25.128.5:500 policy 'test' id 0, 544 bytes
ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x0000000000000000
ca_x509_name_parse: setting 'CN' to 'ike-test.example.com'
ca_x509_name_parse: setting 'C' to 'DE'
ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x0cffe25e7be83b8b 0x0000000000000000
172.24.2.42:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x0cffe25e7be83b8b 0x0000000000000000
172.25.128.5:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x0cffe25e7be83b8b 0x06b20567dde142a4
172.25.128.5:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x0cffe25e7be83b8b 0x06b20567dde142a4
172.24.2.42:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.25.128.5:500 to 172.24.2.42:500
msgid 0, 471 bytes
config_free_proposals: free 0x5d95d54f480
ikev2_recv: IKE_AUTH request from initiator 172.24.2.42:500 to 172.25.128.5:500
policy 'test' id 1, 1728 bytes
ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1728
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1700
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1664
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1664/1664 padding 1
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length
55
ikev2_pld_id: id ASN1_DN//CN=ike-test2.example.com/C=DE length 51
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00
length 1028
ikev2_pld_cert: type X509_CERT length 1023
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
ca_x509_name_parse: setting 'CN' to 'ike-test.example.com'
ca_x509_name_parse: setting 'C' to 'DE'
ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
54
ikev2_pld_id: id ASN1_DN//CN=ike-test.example.com/C=DE length 50
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
164
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xc421d6ee
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.24.2.42 end 172.24.2.42
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.25.128.5 end 172.25.128.5
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid '/CN=ike-test2.example.com/C=DE'
ikev2_msg_auth: responder auth data length 535
ca_setauth: switching from RSA_SIG to SIG
ca_setauth: auth length 535
ikev2_msg_auth: initiator auth data length 608
ikev2_msg_authverify: method SIG keylen 1023 type X509_CERT
_dsa_verify_init: signature scheme 0 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x5d995c78880
ca_getreq: found CA /CN=Testing Authority
ca_getreq: found local certificate /CN=ike-test.example.com/C=DE
ca_setauth: auth length 272
ca_validate_cert: /CN=ike-test2.example.com/C=DE ok
ikev2_getimsgdata: imsg 18 rspi 0x06b20567dde142a4 ispi 0x0cffe25e7be83b8b
initiator 0 sa valid type 4 data length 1020
ikev2_dispatch_cert: cert type X509_CERT length 1020, ok
sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 23 rspi 0x06b20567dde142a4 ispi 0x0cffe25e7be83b8b
initiator 0 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 104
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0xbe43e25b
pfkey_sa_init: new spi 0xbe43e25b
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_next_payload: length 54 nextpayload CERT
ikev2_next_payload: length 1025 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1451
ikev2_msg_encrypt: padded length 1456
ikev2_msg_encrypt: length 1452, padding 4, output length 1488
ikev2_next_payload: length 1492 nextpayload IDr
ikev2_msg_integr: message length 1520
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1520
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1492
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1456
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1456/1456 padding 4
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length
54
ikev2_pld_id: id ASN1_DN//CN=ike-test.example.com/C=DE length 50
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length 1025
ikev2_pld_cert: type X509_CERT length 1020
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xbe43e25b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.24.2.42 end 172.24.2.42
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.25.128.5 end 172.25.128.5
ikev2_msg_send: IKE_AUTH response from 172.25.128.5:500 to 172.24.2.42:500
msgid 1, 1520 bytes
pfkey_sa_add: update spi 0xbe43e25b
ikev2_childsa_enable: loaded CHILD SA spi 0xbe43e25b
pfkey_sa_add: add spi 0xc421d6ee
ikev2_childsa_enable: loaded CHILD SA spi 0xc421d6ee
ikev2_childsa_enable: loaded flow 0x5d9ba916000
ikev2_childsa_enable: loaded flow 0x5d9ab276800
sa_state: VALID -> ESTABLISHED from 172.24.2.42:500 to 172.25.128.5:500 policy
'test'
ikev2_ike_sa_rekey: called for IKE SA 0x5d968e34000
ca_x509_name_parse: setting 'CN' to 'ike-test.example.com'
ca_x509_name_parse: setting 'C' to 'DE'
ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50
sa_state: INIT -> AUTH_SUCCESS
ikev2_add_proposals: length 52
ikev2_next_payload: length 56 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONE
ikev2_msg_encrypt: decrypted length 356
ikev2_msg_encrypt: padded length 368
ikev2_msg_encrypt: length 357, padding 11, output length 400
ikev2_next_payload: length 404 nextpayload SA
ikev2_msg_integr: message length 432
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 0 length
432 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 368
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 368/368 padding 11
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
56
ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8
xforms 4 spi 0xf671af4a99dd1f39
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length
36
ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_msg_send: CREATE_CHILD_SA request from 172.25.128.5:500 to
172.24.2.42:500 msgid 0, 432 bytes
ikev2_ike_sa_rekey: create child SA sent
ikev2_recv: CREATE_CHILD_SA response from initiator 172.24.2.42:500 to
172.25.128.5:500 policy 'test' id 0, 432 bytes
ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 0 length
432 response 1
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 368
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 368/368 padding 11
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
56
ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8
xforms 4 spi 0x6e3418a480ae0204
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length
36
ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_sa_negotiate: score 4
config_free_proposals: free 0x5d995c76900
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_ikesa_enable: IKE SA 0x5d968e34000 ispi 0x0cffe25e7be83b8b rspi
0x06b20567dde142a4 replaced by SA 0x5d928e41000 ispi 0xf671af4a99dd1f39 rspi
0x6e3418a480ae0204
ikev2_ikesa_enable: activating new IKE SA
sa_state: AUTH_SUCCESS -> ESTABLISHED from any to any policy 'test'
ikev2_next_payload: length 8 nextpayload NONE
ikev2_msg_encrypt: decrypted length 8
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 9, padding 7, output length 48
ikev2_next_payload: length 52 nextpayload DELETE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00
length 8
ikev2_pld_delete: proto IKE spisize 0 nspi 0
ikev2_msg_send: INFORMATIONAL request from 172.25.128.5:500 to 172.24.2.42:500
msgid 1, 80 bytes
ikev2_ikesa_delete: sent delete, closing SA
sa_state: ESTABLISHED -> CLOSED from 172.24.2.42:500 to 172.25.128.5:500 policy
'test'
ikev2_recv: closing SA
sa_free: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
config_free_proposals: free 0x5d95d54f400
config_free_proposals: free 0x5d95d54fc00
ikev2_recv: INFORMATIONAL response from initiator 172.24.2.42:500 to
172.25.128.5:500 policy 'test' id 1, 80 bytes
ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4
ikev2_ike_sa_rekey: called for IKE SA 0x5d928e41000
ca_x509_name_parse: setting 'CN' to 'ike-test.example.com'
ca_x509_name_parse: setting 'C' to 'DE'
ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50
sa_state: INIT -> AUTH_SUCCESS
ikev2_add_proposals: length 52
ikev2_next_payload: length 56 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONE
ikev2_msg_encrypt: decrypted length 356
ikev2_msg_encrypt: padded length 368
ikev2_msg_encrypt: length 357, padding 11, output length 400
ikev2_next_payload: length 404 nextpayload SA
ikev2_msg_integr: message length 432
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x08 msgid 0 length
432 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 368
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 368/368 padding 11
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
56
ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8
xforms 4 spi 0xa480072ae05fbed6
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length
36
ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_msg_send: CREATE_CHILD_SA request from any to any msgid 0, 432 bytes
ikev2_msg_send: sendtofrom: Invalid argument
sa_free: ispi 0xa480072ae05fbed6 rspi 0x0000000000000000
ikev2_ike_sa_rekey: could not send create child SA
pfkey_sa_last_used: invalid address: Protocol family not supported
pfkey_sa_last_used: invalid address: Protocol family not supported
ikev2_ike_sa_alive: sending alive check
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 1 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL request from any to any msgid 1, 80 bytes
ikev2_msg_send: sendtofrom: Invalid argument
ikev2_recv: INFORMATIONAL request from responder 172.24.2.42:500 to
172.25.128.5:500 policy 'test' id 0, 80 bytes
ikev2_recv: ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500
ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 0 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00
length 8
ikev2_pld_delete: proto IKE spisize 0 nspi 0
ikev2_next_payload: length 4 nextpayload NONE
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 0 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL response from 172.25.128.5:500 to 172.24.2.42:500
msgid 0, 80 bytes
sa_state: ESTABLISHED -> CLOSED from 172.24.2.42:500 to 172.25.128.5:500 policy
'test'
ikev2_recv: closing SA
sa_free: ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204
config_free_proposals: free 0x5d995c76880
config_free_proposals: free 0x5d995c76a00
config_free_childsas: free 0x5d928e44000
config_free_childsas: free 0x5d9b8d4d500
sa_free_flows: free 0x5d9ba916000
sa_free_flows: free 0x5d9ab276800
--
Dipl.-Ing. Thomas Klute
achelos GmbH
Vattmannstraße 1
33100 Paderborn / Germany
Geschäftsführung: Kathrin Asmuth, Frank Stehling
Registergericht: Paderborn, HRB 8817, USt-IdNr.: DE260414872
