Lab setup: Windows Server 2008RC2 running CA, DC, NDES roles.
Client: Embedded Linux device with strongSwan 5.1.1 and openssl.
I have successfully configured NDES and SCEP, and enrolled a machine certificate on the client.
On the server an IPsec policy is assigned (3DES, SHA1, DH group 2). Firewall is disabled.
IPsec transport mode is chosen and the server/client are on the same net.
Ping from server to client correctly establishes the SA. All good.
Now comes the problem: when the client sends the IKE_SA_INIT message, no response is returned (using wireshark).
On the server the audit event log lists Event 4653:
============================================
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name:-
Network Address:192.168.0.2
Keying Module Port:500
Remote Endpoint:
Principal Name:-
Network Address:192.168.0.3
Keying Module Port:500
Additional Information:
Keying Module Name:IKEv2
Authentication Method:Unknown authentication
Role:Responder
Impersonation State:Not enabled
Main Mode Filter ID:0
Failure Information:
Failure Point:Local computer
Failure Reason:No policy configured
State: No state
Initiator Cookie:5ac3b111d55ad243
Responder Cookie:f467fab69613cf7c
The machine certificate looks like (notice the added enhanced key usages server and client auth, which I understand is required):
============================================
# openssl x509 -text -inform DER -in /etc/ipsec.d/certs/fccCert.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:8a:98:ac:00:00:00:00:00:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA
Validity
Not Before: Feb 3 09:33:56 2014 GMT
Not After : Feb 3 09:33:56 2016 GMT
Subject: C=CH, O=Linux, CN=CPB529-2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<cut>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:lmh@doms.dk
X509v3 Subject Key Identifier:
A2:54:A9:A3:E3:DC:C6:F0:0D:ED:B9:87:37:42:82:6A:62:4D:E6:75
X509v3 Authority Key Identifier:
keyid:DE:17:51:17:28:69:C3:10:E2:00:26:D7:0D:A8:A9:25:A0:E4:CA:3D
X509v3 CRL Distribution Points:
URI:ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=LMH-WIN2008R2-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?cACertificate?base?objectClass=certificationAuthority
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7........Z...&...Y...d.A..m...?..d...
X509v3 Extended Key Usage:
1.3.6.1.4.1.311.20.2.1, TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
020..
+.....7...0
..+.......0
..+.......0
..+.......
Signature Algorithm: sha1WithRSAEncryption
<cut>
-----BEGIN CERTIFICATE-----
<cut>
-----END CERTIFICATE-----
The IKE_SA_INIT request looks like:
============================================
No. Time Source Destination Protocol Length Info
89550 504103.645307 192.168.0.3 192.168.0.2 ISAKMP 650 IKE_SA_INIT
Frame 89550: 650 bytes on wire (5200 bits), 650 bytes captured (5200 bits)
Arrival Time: Feb 5, 2014 09:53:52.767787000 Romance Standard Time
Epoch Time: 1391590432.767787000 seconds
[Time delta from previous captured frame: 10.834437000 seconds]
[Time delta from previous displayed frame: 409.652542000 seconds]
[Time since reference or first frame: 504103.645307000 seconds]
Frame Number: 89550
Frame Length: 650 bytes (5200 bits)
Capture Length: 650 bytes (5200 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Doms_00:ab:c7 (00:50:55:00:ab:c7), Dst: CadmusCo_51:94:77 (08:00:27:51:94:77)
Destination: CadmusCo_51:94:77 (08:00:27:51:94:77)
Address: CadmusCo_51:94:77 (08:00:27:51:94:77)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Doms_00:ab:c7 (00:50:55:00:ab:c7)
Address: Doms_00:ab:c7 (00:50:55:00:ab:c7)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.0.2 (192.168.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 636
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xb71b [correct]
[Good: True]
[Bad: False]
Source: 192.168.0.3 (192.168.0.3)
Destination: 192.168.0.2 (192.168.0.2)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 616
Checksum: 0x0043 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 5ac3b111d55ad243
Responder cookie: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08
.... 1... = Initiator: Initiator
...0 .... = Version: No higher version
..0. .... = Response: Request
Message ID: 0x00000000
Length: 608
Type Payload: Security Association (33)
Next payload: Key Exchange (34)
0... .... = Critical Bit: Not Critical
Payload length: 352
Type Payload: Proposal (2) # 1
Next payload: Proposal (2)
0... .... = Critical Bit: Not Critical
Payload length: 40
Proposal number: 1
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Proposal (2) # 2
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 308
Proposal number: 2
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 36
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 128
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0080
Key Length: 128
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 192
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 00c0
Key Length: 192
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_MD5_96 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_MD5 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CBC (4)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CMAC6 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1536 bit MODP group (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048 bit MODP group (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 3072 bit MODP group (15)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 4096 bit MODP group (16)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 8192 bit MODP group (18)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 256-bit random ECP group (19)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 384-bit random ECP group (20)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 521-bit random ECP group (21)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1024-bit MODP Group with 160-bit Prime Order Subgroup (22)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 224-bit Prime Order Subgroup (23)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 256-bit Prime Order Subgroup (24)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 192-bit Random ECP Group (25)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 224-bit Random ECP Group (26)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (27)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (28)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (29)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (30)
Type Payload: Key Exchange (34)
Next payload: Nonce (40)
0... .... = Critical Bit: Not Critical
Payload length: 136
DH Group #: Alternate 1024-bit MODP group (2)
Key Exchange Data: 488bf42e98dcb8a37e86e1a25964ed9b41948c941ad2d296...
Type Payload: Nonce (40)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 36
Nonce DATA: 5bfaeebc0a0c9f01cb6a75a8a088429b684fd7d158bec7e8...
Type Payload: Notify (41)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 1575bc35e95f2cb05722320f7a3d5e0db6a7a58d
Type Payload: Notify (41)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
Notification DATA: efd4ca3ddcf8776889bbe21344e0116a0cf19784
I guess my configuration is somehow wrong, but can't figure out what is wrong. Any help is greatly appreciated.
Thanks and regards,
Lars
Client: Embedded Linux device with strongSwan 5.1.1 and openssl.
I have successfully configured NDES and SCEP, and enrolled a machine certificate on the client.
On the server an IPsec policy is assigned (3DES, SHA1, DH group 2). Firewall is disabled.
IPsec transport mode is chosen and the server/client are on the same net.
Ping from server to client correctly establishes the SA. All good.
Now comes the problem: when the client sends the IKE_SA_INIT message, no response is returned (using wireshark).
On the server the audit event log lists Event 4653:
============================================
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name:-
Network Address:192.168.0.2
Keying Module Port:500
Remote Endpoint:
Principal Name:-
Network Address:192.168.0.3
Keying Module Port:500
Additional Information:
Keying Module Name:IKEv2
Authentication Method:Unknown authentication
Role:Responder
Impersonation State:Not enabled
Main Mode Filter ID:0
Failure Information:
Failure Point:Local computer
Failure Reason:No policy configured
State: No state
Initiator Cookie:5ac3b111d55ad243
Responder Cookie:f467fab69613cf7c
The machine certificate looks like (notice the added enhanced key usages server and client auth, which I understand is required):
============================================
# openssl x509 -text -inform DER -in /etc/ipsec.d/certs/fccCert.der
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:8a:98:ac:00:00:00:00:00:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=net, DC=lmhlab, CN=LMH-WIN2008R2-CA
Validity
Not Before: Feb 3 09:33:56 2014 GMT
Not After : Feb 3 09:33:56 2016 GMT
Subject: C=CH, O=Linux, CN=CPB529-2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<cut>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:lmh@doms.dk
X509v3 Subject Key Identifier:
A2:54:A9:A3:E3:DC:C6:F0:0D:ED:B9:87:37:42:82:6A:62:4D:E6:75
X509v3 Authority Key Identifier:
keyid:DE:17:51:17:28:69:C3:10:E2:00:26:D7:0D:A8:A9:25:A0:E4:CA:3D
X509v3 CRL Distribution Points:
URI:ldap:///CN=LMH-WIN2008R2-CA,CN=LMH-WIN2008R2DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=LMH-WIN2008R2-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lmhlab,DC=net?cACertificate?base?objectClass=certificationAuthority
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0-.%+.....7........Z...&...Y...d.A..m...?..d...
X509v3 Extended Key Usage:
1.3.6.1.4.1.311.20.2.1, TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2, TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
020..
+.....7...0
..+.......0
..+.......0
..+.......
Signature Algorithm: sha1WithRSAEncryption
<cut>
-----BEGIN CERTIFICATE-----
<cut>
-----END CERTIFICATE-----
The IKE_SA_INIT request looks like:
============================================
No. Time Source Destination Protocol Length Info
89550 504103.645307 192.168.0.3 192.168.0.2 ISAKMP 650 IKE_SA_INIT
Frame 89550: 650 bytes on wire (5200 bits), 650 bytes captured (5200 bits)
Arrival Time: Feb 5, 2014 09:53:52.767787000 Romance Standard Time
Epoch Time: 1391590432.767787000 seconds
[Time delta from previous captured frame: 10.834437000 seconds]
[Time delta from previous displayed frame: 409.652542000 seconds]
[Time since reference or first frame: 504103.645307000 seconds]
Frame Number: 89550
Frame Length: 650 bytes (5200 bits)
Capture Length: 650 bytes (5200 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Doms_00:ab:c7 (00:50:55:00:ab:c7), Dst: CadmusCo_51:94:77 (08:00:27:51:94:77)
Destination: CadmusCo_51:94:77 (08:00:27:51:94:77)
Address: CadmusCo_51:94:77 (08:00:27:51:94:77)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Doms_00:ab:c7 (00:50:55:00:ab:c7)
Address: Doms_00:ab:c7 (00:50:55:00:ab:c7)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.0.3 (192.168.0.3), Dst: 192.168.0.2 (192.168.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 636
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xb71b [correct]
[Good: True]
[Bad: False]
Source: 192.168.0.3 (192.168.0.3)
Destination: 192.168.0.2 (192.168.0.2)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 616
Checksum: 0x0043 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 5ac3b111d55ad243
Responder cookie: 0000000000000000
Next payload: Security Association (33)
Version: 2.0
Exchange type: IKE_SA_INIT (34)
Flags: 0x08
.... 1... = Initiator: Initiator
...0 .... = Version: No higher version
..0. .... = Response: Request
Message ID: 0x00000000
Length: 608
Type Payload: Security Association (33)
Next payload: Key Exchange (34)
0... .... = Critical Bit: Not Critical
Payload length: 352
Type Payload: Proposal (2) # 1
Next payload: Proposal (2)
0... .... = Critical Bit: Not Critical
Payload length: 40
Proposal number: 1
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 4
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Proposal (2) # 2
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 308
Proposal number: 2
Protocol ID: IKE (1)
SPI Size: 0
Proposal transforms: 36
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_3DES (3)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 128
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0080
Key Length: 128
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 192
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 00c0
Key Length: 192
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 12
Transform Type: Encryption Algorithm (ENCR) (1)
Transform ID (ENCR): ENCR_AES_CBC (12)
Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE2 Format: Type/Value (TV)
Transform IKE2 Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_MD5_96 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Integrity Algorithm (INTEG) (3)
Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_MD5 (1)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA1 (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CBC (4)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Pseudo-random Function (PRF) (2)
Transform ID (PRF): PRF_AES128_CMAC6 (8)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Alternate 1024-bit MODP group (2)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1536 bit MODP group (5)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048 bit MODP group (14)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 3072 bit MODP group (15)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 4096 bit MODP group (16)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 8192 bit MODP group (18)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 256-bit random ECP group (19)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 384-bit random ECP group (20)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 521-bit random ECP group (21)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 1024-bit MODP Group with 160-bit Prime Order Subgroup (22)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 224-bit Prime Order Subgroup (23)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 2048-bit MODP Group with 256-bit Prime Order Subgroup (24)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 192-bit Random ECP Group (25)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): 224-bit Random ECP Group (26)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (27)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (28)
Type Payload: Transform (3)
Next payload: Transform (3)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (29)
Type Payload: Transform (3)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Transform Type: Diffie-Hellman Group (D-H) (4)
Transform ID (D-H): Unknown (30)
Type Payload: Key Exchange (34)
Next payload: Nonce (40)
0... .... = Critical Bit: Not Critical
Payload length: 136
DH Group #: Alternate 1024-bit MODP group (2)
Key Exchange Data: 488bf42e98dcb8a37e86e1a25964ed9b41948c941ad2d296...
Type Payload: Nonce (40)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 36
Nonce DATA: 5bfaeebc0a0c9f01cb6a75a8a088429b684fd7d158bec7e8...
Type Payload: Notify (41)
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 1575bc35e95f2cb05722320f7a3d5e0db6a7a58d
Type Payload: Notify (41)
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 28
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
Notification DATA: efd4ca3ddcf8776889bbe21344e0116a0cf19784
I guess my configuration is somehow wrong, but can't figure out what is wrong. Any help is greatly appreciated.
Thanks and regards,
Lars