iked "failed to get dh secret"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

iked "failed to get dh secret"

Adam Van Ymeren
I've been trying to setup a VPN for my android device using strongSwan and iked.

When I try to initiate the connection from my device the SA never gets
established.  I see this in the log:
Here's the logs from iked -dvv

ikev2_recv: IKE_SA_INIT request from initiator <device-ip>:54158 to
65.19.130.43:500 policy 'policy1' id 0, 1012 bytes
ikev2_recv: ispi 0xedd37e5e75d328e5 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/65.19.130.43 length 8
ikev2_pld_parse: header ispi 0xedd37e5e75d328e5 rspi
0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT
flags 0x08 msgid 0 length 1012 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 604
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 292 proposal #1 protoid IKE
spisize 0 xforms 34 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_224
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1024_160
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_224
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_192
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P224R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id BRAINPOOL_P512R1
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xedd37e5e75d328e5 0x0000000000000000
184.151.36.170:54158
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xedd37e5e75d328e5
0x0000000000000000 65.19.130.43:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:16430>
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:16431>
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: failed to get dh secret group 24 len 256 secret 256 exchange 256
ikev2_resp_recv: failed to get IKE SA keys
sa_state: SA_INIT -> CLOSED from any to any policy 'policy1'

Reply | Threaded
Open this post in threaded view
|

Re: iked "failed to get dh secret"

Adam Van Ymeren
On Mon, Oct 19, 2015 at 12:09 PM, Adam Van Ymeren <[hidden email]> wrote:
> I've been trying to setup a VPN for my android device using strongSwan and iked.
>
> When I try to initiate the connection from my device the SA never gets
> established.  I see this in the log:
> Here's the logs from iked -dvv

God damn gmail keyboard shotcuts, sent before I was finished.  The
relevant part of the log appears to be:

ikev2_sa_keys: failed to get dh secret group 24 len 256 secret 256 exchange 256
ikev2_resp_recv: failed to get IKE SA keys

Not sure how to debug this further.  Any thoughts what would trigger this error?