<div dir="ltr">Hi Andreas,<div><br></div><div>No it is not strongswan on peer end. I am using third party VPN.</div><div><br></div><div>So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and anything exceeding that can be Invalid length.</div><div><br></div><div>Configuration on my side is:</div><div><br></div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">conn %default
ikelifetime = 28800s
type = tunnel
lifetime = 3600s
dpddelay = 30
dpdaction = restart
reauth = no
mobike = no #disable mobike - no use case
conn 10.109.229.250_1.1.2.0/24-10.109.229.252_2.1.1.0/24
left=10.109.229.250
leftid=10.109.229.250
rightid=10.109.229.252
leftsubnet=<a href="http://1.1.2.0/24">1.1.2.0/24</a>
right=10.109.229.252
rightsubnet=<a href="http://2.1.1.0/24">2.1.1.0/24</a>
authby=secret
keyexchange = ikev2
auto = add
fragmentation = yes
esp=aes256-sha1-modp2048
ike=aes256-sha1-modp2048!</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><br></pre></div><div>Thanks & Regards,</div><div>Yogesh</div><div> </div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Oct 29, 2018 at 1:39 PM Andreas Steffen <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Yogesh,<br>
<br>
are you using an unmodified strongSwan peer on the other side or<br>
a third party VPN product? If it is strongSwan, which version are<br>
you using? Could you also send the configuration of the CHILD SA?<br>
<br>
Regards<br>
<br>
Andreas<br>
<br>
On 29.10.2018 06:43, Yogesh Purohit wrote:<br>
> Adding subject line to my query<br>
> <br>
> On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit<br>
> <<a href="mailto:yogeshpurohit2@gmail.com" target="_blank">yogeshpurohit2@gmail.com</a> <mailto:<a href="mailto:yogeshpurohit2@gmail.com" target="_blank">yogeshpurohit2@gmail.com</a>>> wrote:<br>
> <br>
> Hi Team,<br>
> <br>
> I am trying to establish tunnel with my strongswan.<br>
> But after receiving IKE_AUTH response my local strongswan end<br>
> (initiator) rejects tunnel saying ' length of<br>
> TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid'.<br>
> <br>
> And I am unable to get the reason for the same. Because I have<br>
> configured traffic selectors matching.<br>
> <br>
> IKE_Auth response which is recived is of 252 bytes, whereas when my<br>
> tunnel was established in other case IKE_AUTH response was of 204 bytes.<br>
> NOTE: I am trying the tunnel with PSK and version is IKEv2.<br>
> <br>
> So is there fixed bytes of IKE_AUTH response which is expected by<br>
> strongswan for PSK.<br>
> <br>
> And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure<br>
> list invalid' means, I tried finding it in RFC, but could not find<br>
> the same.<br>
> <br>
> <br>
> Thanks & Regards,<br>
> <br>
> Yogesh Purohit<br>
> <br>
> <br>
> <br>
> -- <br>
> Best Regards,<br>
> <br>
> Yogesh Purohit<br>
<br>
-- <br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Networked Solutions<br>
HSR University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[INS-HSR]==<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Best Regards,<div><br></div><div>Yogesh Purohit</div></div></div>