Unable to connect to VNXe3200 via IPMITool. RAKP 2 HMAC is invalid

[Rennekww]

Good afternoon.
I can't connect to the SPA storage process at VNXe3200.

Using IPMITool version 1.8.18. Compiled built on windows 7. I'm trying to connect from another PC, but also Windows 10.

Below is the information displayed when trying to connect.

c:\ipmitool>ipmitool.exe -vvv -I lanplus -C3 -U console -P FCNBC152200435 -H 128.221.1.252 sol activate
ipmitool version 1.8.18

Loading IANA PEN Registry...
IANA PEN registry open failed: No such file or directory

Sending IPMI command payload
netfn : 0x06
command : 0x38
data : 0x8e 0x04

BUILDING A v1.5 COMMAND

IPMI Request Session Header
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 00
Rq Lun : 0
Command : 38
<< IPMI Response Session Header
<< Authtype : NONE
<< Payload type : IPMI (0)
<< Session ID : 0x00000000
<< Sequence : 0x00000000
<< IPMI Msg/Payload Length : 16
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 00
<< Rs Lun : 0
<< Command : 38
<< Compl Code : 0x00
SENDING AN OPEN SESSION REQUEST

<<OPEN SESSION RESPONSE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Maximum privilege level : admin
<< Console Session ID : 0xa0a2a3a4
<< BMC Session ID : 0x0200ca00
<< Negotiated authenticatin algorithm : hmac_sha1
<< Negotiated integrity algorithm : hmac_sha1_96
<< Negotiated encryption algorithm : aes_cbc_128

Console generated random number (16 bytes)
31 71 78 c4 cc 44 3b 45 95 bb cc 45 93 77 9a e3
SENDING A RAKP 1 MESSAGE

<<RAKP 2 MESSAGE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Console Session ID : 0xa0a2a3a4
<< BMC random number : 0x5e0c4cb451702dd2d188ddea78bdb136
<< BMC GUID : 0x20000102027f00000000000000000000
<< Key exchange auth code [sha1] : 0x167046d02953f9fe32674e602587b72afbe98970

bmc_rand (16 bytes)
5e 0c 4c b4 51 70 2d d2 d1 88 dd ea 78 bd b1 36

rakp2 mac input buffer (65 bytes)
a4 a3 a2 a0 00 ca 00 02 31 71 78 c4 cc 44 3b 45
95 bb cc 45 93 77 9a e3 5e 0c 4c b4 51 70 2d d2
d1 88 dd ea 78 bd b1 36 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00 14 07 63 6f 6e 73 6f 6c
65
rakp2 mac key (20 bytes)
46 43 4e 42 43 31 35 32 32 30 30 34 33 35 00 00
00 00 00 00
rakp2 mac as computed by the remote console (20 bytes)
db 31 b2 22 a2 55 56 f7 d1 28 b5 9b fb d6 49 71
27 e5 d4 0f
RAKP 2 HMAC is invalid
Error: Unable to establish IPMI v2 / RMCP+ session

[AlexanderAmelkin]

@Rennekww It looks to me like your BMC is returning a wrong RAKP2 HMAC key.

Please try an up to date source from github rather than some old 1.8.18.

Also try to experiment with different cipher suites (the -c option).

[Rennekww]

I took the sources from here https://github.com/ipmitool/ipmitool and just recently, 3 days ago.
I tried connections from C0 to C17.

C0:
c:\ipmitool>ipmitool.exe -vvvvvv -I lanplus -C0 -U console -P FCNBC152200435 -H 128.221.1.252 sol activate
ipmitool version 1.8.18

Loading IANA PEN Registry...
IANA PEN registry open failed: No such file or directory
Allocating 3 entries
[ 1] 16777214 | A Debug Assisting Company, Ltd.
[ 0] 1048575 | Unspecified

Sending IPMI command payload
netfn : 0x06
command : 0x38
data : 0x8e 0x04

BUILDING A v1.5 COMMAND
added list entry seq=0x00 cmd=0x38

IPMI Request Session Header
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 00
Rq Lun : 0
Command : 38
sending packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 00 38 8e 04 b5
<< received packet (30 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 10 81 1c
63 20 00 38 00 01 97 04 03 00 00 00 00 09
<< IPMI Response Session Header
<< Authtype : NONE
<< Payload type : IPMI (0)
<< Session ID : 0x00000000
<< Sequence : 0x00000000
<< IPMI Msg/Payload Length : 16
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 00
<< Rs Lun : 0
<< Command : 38
<< Compl Code : 0x00
IPMI Request Match found
removed list entry seq=0x00 cmd=0x38
SENDING AN OPEN SESSION REQUEST

sending packet (48 bytes)
06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
00 00 00 00 a4 a3 a2 a0 00 00 00 08 00 00 00 00
01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00
<< received packet (52 bytes)
06 00 ff 07 06 11 00 00 00 00 00 00 00 00 24 00
00 00 01 00 a4 a3 a2 a0 00 cf 00 02 00 00 00 08
00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08
00 00 00 00
<<OPEN SESSION RESPONSE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Maximum privilege level : callback
<< Console Session ID : 0xa0a2a3a4
<< BMC Session ID : 0x0200cf00
<< Negotiated authenticatin algorithm : none
<< Negotiated integrity algorithm : none
<< Negotiated encryption algorithm : none

Console generated random number (16 bytes)
39 0f 36 f0 d8 ff a3 71 2c a9 97 6b 73 ea f4 d5
SENDING A RAKP 1 MESSAGE

sending packet (51 bytes)
06 00 ff 07 06 12 00 00 00 00 00 00 00 00 23 00
00 00 00 00 00 cf 00 02 39 0f 36 f0 d8 ff a3 71
2c a9 97 6b 73 ea f4 d5 14 00 00 07 63 6f 6e 73
6f 6c 65
<< received packet (56 bytes)
06 00 ff 07 06 13 00 00 00 00 00 00 00 00 28 00
00 00 00 00 a4 a3 a2 a0 2c 91 85 ad c1 98 ff c9
42 29 6e bb ef f1 ca b7 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00
<<RAKP 2 MESSAGE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Console Session ID : 0xa0a2a3a4
<< BMC random number : 0x2c9185adc198ffc942296ebbeff1cab7
<< BMC GUID : 0x20000102027f00000000000000000000
<< Key exchange auth code : none

bmc_rand (16 bytes)
2c 91 85 ad c1 98 ff c9 42 29 6e bb ef f1 ca b7

SENDING A RAKP 3 MESSAGE

sending packet (24 bytes)
06 00 ff 07 06 14 00 00 00 00 00 00 00 00 08 00
00 00 00 00 00 cf 00 02
<< received packet (24 bytes)
06 00 ff 07 06 15 00 00 00 00 00 00 00 00 08 00
00 00 00 00 a4 a3 a2 a0
<<RAKP 4 MESSAGE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Console Session ID : 0xa0a2a3a4
<< Key exchange auth code : none

IPMIv2 / RMCP+ SESSION OPENED SUCCESSFULLY

Sending IPMI command payload
netfn : 0x06
command : 0x3b
data : 0x04

BUILDING A v2 COMMAND
added list entry seq=0x01 cmd=0x3b
Local RqAddr 0x20 transit 0:0 target 0x20:0 bridgePossible 0

sending packet (24 bytes)
06 00 ff 07 06 00 00 cf 00 02 03 00 00 00 08 00
20 18 c8 81 04 3b 04 3c
<< received packet (24 bytes)
06 00 ff 07 06 00 a4 a3 a2 a0 01 00 00 00 08 00
81 1c 63 20 04 3b d4 cd
<< IPMI Response Session Header
<< Authtype : RMCP+
<< Payload type : IPMI (0)
<< Session ID : 0xa0a2a3a4
<< Sequence : 0x00000001
<< IPMI Msg/Payload Length : 8
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 01
<< Rs Lun : 0
<< Command : 3b
<< Compl Code : 0xd4
IPMI Request Match found
removed list entry seq=0x01 cmd=0x3b
Set Session Privilege Level to ADMINISTRATOR failed: Insufficient privilege level
Error: Unable to establish IPMI v2 / RMCP+ session

Sending IPMI command payload
netfn : 0x06
command : 0x3c
data : 0x00 0xcf 0x00 0x02

BUILDING A v2 COMMAND
added list entry seq=0x02 cmd=0x3c
Local RqAddr 0x20 transit 0:0 target 0x20:0 bridgePossible 0

sending packet (27 bytes)
06 00 ff 07 06 00 00 cf 00 02 04 00 00 00 0b 00
20 18 c8 81 08 3c 00 cf 00 02 6a
<< received packet (24 bytes)
06 00 ff 07 06 00 a4 a3 a2 a0 02 00 00 00 08 00
81 1c 63 20 08 3c 00 9c
<< IPMI Response Session Header
<< Authtype : RMCP+
<< Payload type : IPMI (0)
<< Session ID : 0xa0a2a3a4
<< Sequence : 0x00000002
<< IPMI Msg/Payload Length : 8
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 02
<< Rs Lun : 0
<< Command : 3c
<< Compl Code : 0x00
IPMI Request Match found
removed list entry seq=0x02 cmd=0x3c
Closed Session 0200cf00

All the others end up the same.
Examples C5 and C17:
c:\ipmitool>ipmitool.exe -vvvvvv -I lanplus -C5 -U console -P FCNBC152200435 -H 128.221.1.252 sol activate
ipmitool version 1.8.18

Loading IANA PEN Registry...
IANA PEN registry open failed: No such file or directory
Allocating 3 entries
[ 1] 16777214 | A Debug Assisting Company, Ltd.
[ 0] 1048575 | Unspecified

Sending IPMI command payload
netfn : 0x06
command : 0x38
data : 0x8e 0x04

BUILDING A v1.5 COMMAND
added list entry seq=0x00 cmd=0x38

IPMI Request Session Header
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 00
Rq Lun : 0
Command : 38
sending packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 00 38 8e 04 b5
<< received packet (30 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 10 81 1c
63 20 00 38 00 01 97 04 03 00 00 00 00 09
<< IPMI Response Session Header
<< Authtype : NONE
<< Payload type : IPMI (0)
<< Session ID : 0x00000000
<< Sequence : 0x00000000
<< IPMI Msg/Payload Length : 16
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 00
<< Rs Lun : 0
<< Command : 38
<< Compl Code : 0x00
IPMI Request Match found
removed list entry seq=0x00 cmd=0x38
SENDING AN OPEN SESSION REQUEST

sending packet (48 bytes)
06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
00 00 00 00 a4 a3 a2 a0 00 00 00 08 01 00 00 00
01 00 00 08 01 00 00 00 02 00 00 08 03 00 00 00
<< received packet (52 bytes)
06 00 ff 07 06 11 00 00 00 00 00 00 00 00 24 00
00 00 04 00 a4 a3 a2 a0 00 d3 00 02 00 00 00 08
01 00 00 00 01 00 00 08 01 00 00 00 02 00 00 08
03 00 00 00
<<OPEN SESSION RESPONSE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Maximum privilege level : admin
<< Console Session ID : 0xa0a2a3a4
<< BMC Session ID : 0x0200d300
<< Negotiated authenticatin algorithm : hmac_sha1
<< Negotiated integrity algorithm : hmac_sha1_96
<< Negotiated encryption algorithm : xrc4_40

Console generated random number (16 bytes)
be a0 11 9f 7f de 42 ee c7 a1 80 b2 a9 46 8b 61
SENDING A RAKP 1 MESSAGE

sending packet (51 bytes)
06 00 ff 07 06 12 00 00 00 00 00 00 00 00 23 00
00 00 00 00 00 d3 00 02 be a0 11 9f 7f de 42 ee
c7 a1 80 b2 a9 46 8b 61 14 00 00 07 63 6f 6e 73
6f 6c 65
<< received packet (76 bytes)
06 00 ff 07 06 13 00 00 00 00 00 00 00 00 3c 00
00 00 00 00 a4 a3 a2 a0 1c 16 ea 6f 8f f7 9f d0
f8 1d 38 c3 a8 2b 74 21 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00 9f 46 fc 93 f7 68 4c 1d
7f 0d 58 aa 04 90 c3 dc bc af e7 0a
<<RAKP 2 MESSAGE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Console Session ID : 0xa0a2a3a4
<< BMC random number : 0x1c16ea6f8ff79fd0f81d38c3a82b7421
<< BMC GUID : 0x20000102027f00000000000000000000
<< Key exchange auth code [sha1] : 0x9f46fc93f7684c1d7f0d58aa0490c3dcbcafe70a

bmc_rand (16 bytes)
1c 16 ea 6f 8f f7 9f d0 f8 1d 38 c3 a8 2b 74 21

rakp2 mac input buffer (65 bytes)
a4 a3 a2 a0 00 d3 00 02 be a0 11 9f 7f de 42 ee
c7 a1 80 b2 a9 46 8b 61 1c 16 ea 6f 8f f7 9f d0
f8 1d 38 c3 a8 2b 74 21 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00 14 07 63 6f 6e 73 6f 6c
65
rakp2 mac key (20 bytes)
46 43 4e 42 43 31 35 32 32 30 30 34 33 35 00 00
00 00 00 00
rakp2 mac as computed by the remote console (20 bytes)
3b 83 89 cf f6 39 2b 73 9f 7e f4 9e 49 d1 20 ef
69 47 1b 3e
RAKP 2 HMAC is invalid
Error: Unable to establish IPMI v2 / RMCP+ session

c:\ipmitool>ipmitool.exe -vvvvvv -I lanplus -C 17 -U console -P FCNBC152200435 -H 128.221.1.252 sol activate
ipmitool version 1.8.18

Loading IANA PEN Registry...
IANA PEN registry open failed: No such file or directory
Allocating 3 entries
[ 1] 16777214 | A Debug Assisting Company, Ltd.
[ 0] 1048575 | Unspecified

Sending IPMI command payload
netfn : 0x06
command : 0x38
data : 0x8e 0x04

BUILDING A v1.5 COMMAND
added list entry seq=0x00 cmd=0x38

IPMI Request Session Header
Authtype : NONE
Sequence : 0x00000000
Session ID : 0x00000000
IPMI Request Message Header
Rs Addr : 20
NetFn : 06
Rs LUN : 0
Rq Addr : 81
Rq Seq : 00
Rq Lun : 0
Command : 38
sending packet (23 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 09 20 18
c8 81 00 38 8e 04 b5
<< received packet (30 bytes)
06 00 ff 07 00 00 00 00 00 00 00 00 00 10 81 1c
63 20 00 38 00 01 97 04 03 00 00 00 00 09
<< IPMI Response Session Header
<< Authtype : NONE
<< Payload type : IPMI (0)
<< Session ID : 0x00000000
<< Sequence : 0x00000000
<< IPMI Msg/Payload Length : 16
<< IPMI Response Message Header
<< Rq Addr : 81
<< NetFn : 07
<< Rq LUN : 0
<< Rs Addr : 20
<< Rq Seq : 00
<< Rs Lun : 0
<< Command : 38
<< Compl Code : 0x00
IPMI Request Match found
removed list entry seq=0x00 cmd=0x38
SENDING AN OPEN SESSION REQUEST

sending packet (48 bytes)
06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
00 00 00 00 a4 a3 a2 a0 00 00 00 08 03 00 00 00
01 00 00 08 04 00 00 00 02 00 00 08 01 00 00 00
<< received packet (52 bytes)
06 00 ff 07 06 11 00 00 00 00 00 00 00 00 24 00
00 00 04 00 a4 a3 a2 a0 00 e2 00 02 00 00 00 08
03 00 00 00 01 00 00 08 04 00 00 00 02 00 00 08
01 00 00 00
<<OPEN SESSION RESPONSE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Maximum privilege level : admin
<< Console Session ID : 0xa0a2a3a4
<< BMC Session ID : 0x0200e200
<< Negotiated authenticatin algorithm : hmac_sha256
<< Negotiated integrity algorithm : sha256_128
<< Negotiated encryption algorithm : aes_cbc_128

Console generated random number (16 bytes)
3e ed 21 3f ed c2 60 cf 32 e9 6e 96 95 10 64 cc
SENDING A RAKP 1 MESSAGE

sending packet (51 bytes)
06 00 ff 07 06 12 00 00 00 00 00 00 00 00 23 00
00 00 00 00 00 e2 00 02 3e ed 21 3f ed c2 60 cf
32 e9 6e 96 95 10 64 cc 14 00 00 07 63 6f 6e 73
6f 6c 65
<< received packet (88 bytes)
06 00 ff 07 06 13 00 00 00 00 00 00 00 00 48 00
00 00 00 00 a4 a3 a2 a0 c1 48 84 76 09 21 d5 0f
d7 0a 04 70 91 0c 6f c7 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00 99 5a 3d de 5d db 28 52
4a 57 4d 78 c8 03 88 2e 9d 34 34 92 bb 8c ba 9e
d7 e1 0e 89 27 53 dd 2c
<<RAKP 2 MESSAGE
<< Message tag : 0x00
<< RMCP+ status : no errors
<< Console Session ID : 0xa0a2a3a4
<< BMC random number : 0xc14884760921d50fd70a0470910c6fc7
<< BMC GUID : 0x20000102027f00000000000000000000
<< Key exchange auth code [sha256]: 0x995a3dde5ddb28524a574d78c803882e9d343492bb8cba9ed7e10e892753dd2c

bmc_rand (16 bytes)
c1 48 84 76 09 21 d5 0f d7 0a 04 70 91 0c 6f c7

rakp2 mac input buffer (65 bytes)
a4 a3 a2 a0 00 e2 00 02 3e ed 21 3f ed c2 60 cf
32 e9 6e 96 95 10 64 cc c1 48 84 76 09 21 d5 0f
d7 0a 04 70 91 0c 6f c7 20 00 01 02 02 7f 00 00
00 00 00 00 00 00 00 00 14 07 63 6f 6e 73 6f 6c
65
rakp2 mac key (20 bytes)
46 43 4e 42 43 31 35 32 32 30 30 34 33 35 00 00
00 00 00 00
rakp2 mac as computed by the remote console (32 bytes)
37 de bf a8 9b a7 d3 28 15 0f 48 f0 9d d5 20 b0
d3 a3 58 b1 50 b4 e6 40 f3 72 06 f0 eb 93 3a da
RAKP 2 HMAC is invalid
Error: Unable to establish IPMI v2 / RMCP+ session