[Openswan Users] Suddenly service is interrupted.
Marco Perrando
perr at com.dist.unige.it
Thu Dec 16 18:51:06 CET 2004
My provider changed my IP 8-address pool and my ROUTER (and ROUTER address).
The IP-address of the linux box is a public IP (no NAT on server side)
from the new pool, instead of being one of the old pool.
I revised my conf files replacing the new IP both of the linux-box and
of the router.
A road-warrior connection that worked until yesterday now send an
INVALID_COOKIE message as the third message on negotiation, and, as a
consquence (I guess) it resends another packet for a new Security
association.
But its 'Security Parameter Index' reports EXACTLY the two cookies that
were sent in packet #2!!!
Why does it say INVALID_COOKIE?
What cookies should arrive?
What is going on? I can't figure it by myself.
- The router "mangles" the packets?
- The XP-box mangles the packets?
- The linux box mangles the packets?
I note that during the second attempt of Security association, the
cookie of the XP-box is the same, while the linux box provides another
cookie (I don't think this can be helpful, but...).
Thank you for your kind attention.
Sincerly,
Marco.
=======ATTACHED DUMP OF PACKETS (IP address deleted) =====
Frame 1 (334 bytes on wire, 334 bytes captured)
Ethernet II, Src: 00:05:d8:27:4a:5c, Dst: 00:04:75:c6:3e:dc
Internet Protocol,
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 0x37B4EC89095B9AA1
Responder cookie: 0x0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
Message ID: 0x00000000
Length: 292
Security Association payload
Next payload: Vendor ID (13)
Length: 200
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Length: 188
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI size: 0
Number of transforms: 5
Transform payload # 1
Next payload: Transform (3)
Length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): 2048 bit MODP group (14)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: NONE (0)
Length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Default 768-bit MODP group (1)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: Vendor ID (13)
Length: 24
Vendor ID: Microsoft Win2K/WinXP
Vendor ID payload
Next payload: Vendor ID (13)
Length: 20
Vendor ID: Microsoft L2TP/IPSec VPN Client
Vendor ID payload
Next payload: NONE (0)
Length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Frame 2 (146 bytes on wire, 146 bytes captured)
Ethernet II, Src: 00:04:75:c6:3e:dc, Dst: 00:05:d8:27:4a:5c
Internet Protocol,
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 0x37B4EC89095B9AA1
Responder cookie: 0x4FCE525EE99D3397
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags
Message ID: 0x00000000
Length: 104
Security Association payload
Next payload: Vendor ID (13)
Length: 56
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI size: 0
Number of transforms: 1
Transform payload # 2
Next payload: NONE (0)
Length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group (2)
Authentication-Method (3): RSA-SIG (3)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Vendor ID payload
Next payload: NONE (0)
Length: 20
Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Frame 3 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: 00:05:d8:27:4a:5c, Dst: 00:04:75:c6:3e:dc
Internet Protocol,
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 0x37B4EC89095B9AA1
Responder cookie: 0x4FCE525EE99D3397
Next payload: Notification (11)
Version: 1.0
Exchange type: Informational (5)
Flags
Message ID: 0x3F79908F
Length: 56
Notification payload
Next payload: NONE (0)
Length: 28
Domain of Interpretation: IPSEC (1)
Protocol ID: ISAKMP (1)
SPI size: 16
Message type: INVALID-COOKIE (4)
Security Parameter Index
Security Parameter Index starts at byte 52 of the packet
0050 00 04 37 b4 ec 89 09 5b 9a a1 4f ce 52 5e e9 9d ..7....[..O.R^..
0060 33 97 3.
More information about the Users
mailing list