PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authentication
a customer uses openswan 2.4.6-k261805-netkey to establish a site-to-site VPN to our Cisco PIX running OS 8.0(3). Certificates are used to authenticate the connection.
Unfortunately we have some troubles when the connection needs to be rekeyd. It seems the PIX sends the FQDN upon the first connection attempt and the DN when rekeying (the log file of openswan shows this).
On the PIX we configured properly "isakmp identity auto" which means (according to doc) it should use the FQDN/IP-Address for pre-shared-key authentication and the cert DN for certificate based authentication.
I think there might be a bug in IOS... maybe somebody else can confirm this issue or can give me a hint how to resolve it.
Cisco log on rekeying:
%PIX-5-713041: IP = xxx.xxx.xxx.xxx, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer xxx.xxx.xxx.xxx local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
%PIX-5-713201: IP = xxx.xxx.xxx.xxx, Duplicate Phase 1 packet detected. Retransmitting last packet.
%PIX-6-713905: IP = xxx.xxx.xxx.xxx, P1 Retransmit msg dispatched to MM FSM
%PIX-4-713903: IP = xxx.xxx.xxx.xxx, Header invalid, missing SA payload! (next payload = 4)
%PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x73C9CD6D) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.
%PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8B98E224) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been deleted.
%PIX-3-713902: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...