[vpn-devel] ECDSA certificate crashes iked
kordex
kordex at gmail.com
Mon Oct 14 09:22:11 CDT 2013
Hello,
I am using mutual rsa + xauth with ecdsa certificate with netscreen
screenos v 6.2.9
This setup crashes the iked.
The cert was created with key which has ECC type sect571r1.
like: openssl ecparam -out ec_key.key -name sect571r1 -genkey
then signed as usual with ca. ca.crt is RSA type.
after this iked has to be restarted manually in order to recover.
also the vpn gateway uses ecc certificate.
- <#> <EventData>
<Data>iked.exe</Data>
<Data>0.0.0.0</Data>
<Data>4c9fc837</Data>
<Data>iked.exe</Data>
<Data>0.0.0.0</Data>
<Data>4c9fc837</Data>
<Data>c0000005</Data>
<Data>000225b4</Data>
<Data>1688</Data>
<Data>01cec8e57e18af40</Data>
<Data>C:\Program Files\ShrewSoft\VPN Client\iked.exe</Data>
<Data>C:\Program Files\ShrewSoft\VPN Client\iked.exe</Data>
<Data>be5d59c0-34d8-11e3-adc0-ee747f38d1db</Data>
</EventData>
</Event>
13/10/14 16:58:42 ## : IKE Daemon, ver 2.1.7
13/10/14 16:58:42 ## : Copyright 2010 Shrew Soft Inc.
13/10/14 16:58:42 ## : This product linked OpenSSL 0.9.8h 28 May 2008
13/10/14 16:58:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
13/10/14 16:58:42 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
13/10/14 16:58:42 ii : rebuilding vnet device list ...
13/10/14 16:58:43 ii : device ROOT\VNET\0001 disabled
13/10/14 16:58:43 ii : device ROOT\VNET\0000 disabled
13/10/14 16:58:43 ii : network process thread begin ...
13/10/14 16:58:43 ii : pfkey process thread begin ...
13/10/14 16:58:43 ii : ipc server process thread begin ...
13/10/14 16:58:47 ii : ipc client process thread begin ...
13/10/14 16:58:47 <A : peer config add message
13/10/14 16:58:47 DB : peer added ( obj count = 1 )
13/10/14 16:58:47 ii : local address 192.168.122.8 selected for peer
13/10/14 16:58:47 DB : tunnel added ( obj count = 1 )
13/10/14 16:58:47 <A : proposal config message
13/10/14 16:58:47 <A : proposal config message
13/10/14 16:58:47 <A : client config message
13/10/14 16:58:47 <A : xauth username message
13/10/14 16:58:47 <A : xauth password message
13/10/14 16:58:47 <A : local id 'username.domain.tld' message
13/10/14 16:58:47 <A : remote cert 'C:\Users\username\Desktop\ca.crt'
message
13/10/14 16:58:47 ii : 'C:\Users\username\Desktop\ca.crt' loaded
13/10/14 16:58:47 <A : local cert
'C:\Users\username\Desktop\username.domain.tld.crt' message
13/10/14 16:58:47 ii : 'C:\Users\username\Desktop\username.domain.tld.crt'
loaded
13/10/14 16:58:47 <A : local key
'C:\Users\username\Desktop\username.domain.tld.key' message
13/10/14 16:58:47 ii : 'C:\Users\username\Desktop\username.domain.tld.key'
loaded
13/10/14 16:58:47 <A : remote resource message
13/10/14 16:58:47 <A : peer tunnel enable message
13/10/14 16:58:47 DB : new phase1 ( ISAKMP initiator )
13/10/14 16:58:47 DB : exchange type is aggressive
13/10/14 16:58:47 DB : 192.168.122.8:500 <-> 321.321.312.321:500
13/10/14 16:58:47 DB : ##
13/10/14 16:58:47 DB : phase1 added ( obj count = 1 )
13/10/14 16:58:47 >> : security association payload
13/10/14 16:58:47 >> : - proposal #1 payload
13/10/14 16:58:47 >> : -- transform #1 payload
13/10/14 16:58:47 >> : key exchange payload
13/10/14 16:58:47 >> : nonce payload
13/10/14 16:58:47 >> : cert request payload
13/10/14 16:58:47 >> : identification payload
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports XAUTH
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports nat-t ( draft v00 )
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports nat-t ( draft v01 )
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports nat-t ( draft v02 )
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports nat-t ( draft v03 )
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports nat-t ( rfc )
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports FRAGMENTATION
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local supports DPDv1
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local is SHREW SOFT compatible
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local is NETSCREEN compatible
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local is SIDEWINDER compatible
13/10/14 16:58:47 >> : vendor id payload
13/10/14 16:58:47 ii : local is CISCO UNITY compatible
13/10/14 16:58:47 >= : cookies ##
13/10/14 16:58:47 >= : message 00000000
13/10/14 16:58:47 -> : send IKE packet 192.168.122.8:500 ->
321.321.312.321:500 ( 537 bytes )
13/10/14 16:58:47 DB : phase1 resend event scheduled ( ref count = 2 )
13/10/14 16:58:47 <- : recv IKE packet 321.321.312.321:500 ->
192.168.122.8:500 ( 2079 bytes )
13/10/14 16:58:47 DB : phase1 found
13/10/14 16:58:47 ii : processing phase1 packet ( 2079 bytes )
13/10/14 16:58:47 =< : cookies ##
13/10/14 16:58:47 =< : message 00000000
13/10/14 16:58:47 << : security association payload
13/10/14 16:58:47 << : - propsal #1 payload
13/10/14 16:58:47 << : -- transform #1 payload
13/10/14 16:58:47 ii : matched isakmp proposal #1 transform #1
13/10/14 16:58:47 ii : - transform = ike
13/10/14 16:58:47 ii : - cipher type = aes
13/10/14 16:58:47 ii : - key length = 128 bits
13/10/14 16:58:47 ii : - hash type = sha1
13/10/14 16:58:47 ii : - dh group = modp-1024
13/10/14 16:58:47 ii : - auth type = xauth-initiator-rsa
13/10/14 16:58:47 ii : - life seconds = 86400
13/10/14 16:58:47 ii : - life kbytes = 0
13/10/14 16:58:47 << : vendor id payload
13/10/14 16:58:47 ii : unknown vendor id ( 28 bytes )
13/10/14 16:58:47 0x : ##
13/10/14 16:58:47 << : vendor id payload
13/10/14 16:58:47 ii : peer supports XAUTH
13/10/14 16:58:47 << : vendor id payload
13/10/14 16:58:47 ii : peer supports DPDv1
13/10/14 16:58:47 << : vendor id payload
13/10/14 16:58:47 ii : peer supports HEARTBEAT-NOTIFY
13/10/14 16:58:47 << : key exchange payload
13/10/14 16:58:47 << : nonce payload
13/10/14 16:58:47 << : identification payload
13/10/14 16:58:47 ii : phase1 id match ( natt prevents ip match )
13/10/14 16:58:47 ii : received = ipv4-host 321.321.312.321
13/10/14 16:58:47 << : certificate payload
13/10/14 16:58:47 << : cert request payload
13/10/14 16:58:47 << : vendor id payload
13/10/14 16:58:47 ii : peer supports nat-t ( draft v02 )
13/10/14 16:58:47 << : nat discovery payload
13/10/14 16:58:47 << : nat discovery payload
13/10/14 16:58:47 << : signature payload
13/10/14 16:58:47 ii : nat discovery - local address is translated
13/10/14 16:58:47 ii : switching to src nat-t udp port 4500
13/10/14 16:58:47 ii : switching to dst nat-t udp port 4500
13/10/14 16:58:47 == : DH shared secret ( 128 bytes )
13/10/14 16:58:47 == : SETKEYID ( 20 bytes )
13/10/14 16:58:47 == : SETKEYID_d ( 20 bytes )
13/10/14 16:58:47 == : SETKEYID_a ( 20 bytes )
13/10/14 16:58:47 == : SETKEYID_e ( 20 bytes )
13/10/14 16:58:47 == : cipher key ( 16 bytes )
13/10/14 16:58:47 == : cipher iv ( 16 bytes )
13/10/14 16:58:47 >> : certificate payload
13/10/14 16:58:47 == : phase1 hash_i ( computed ) ( 20 bytes )
-Mikko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20131014/ece47bf3/attachment.html>
More information about the vpn-devel
mailing list