[strongSwan] IKEv2 tunnel establishment, initiator does not repond

Andreas Steffen andreas.steffen at strongswan.org
Mon Sep 20 12:13:01 CEST 2010 

Hi Laurence,

it looks as if Juniper's transform encoding is faulty.
In order to diagnose this further could you increase
the debug level to 3 (raw packets).

   charondebug="enc 3"

This might create quite a lot of output!

Regards

Andreas

On 20.09.2010 09:29, Groebl, Laurence (Laurence) wrote:
> Hello Andreas,
> herewith the relevant part from the log, I hope it helps,
> best regards,
> Laurence
> 
> Sep 17 09:15:19 destgd0h003661 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Sep 17 09:15:19 destgd0h003661 charon: 07[NET] sending packet: from 192.168.30.51[500] to 192.168.30.254[500]
> Sep 17 09:15:19 destgd0h003661 charon: 10[NET] received packet: from 192.168.30.254[500] to 192.168.30.51[500]
> Sep 17 09:15:19 destgd0h003661 charon: 10[ENC]   length of TRANSFORM_ATTRIBUTE substructure list invalid
> Sep 17 09:15:19 destgd0h003661 charon: 10[ENC]   parsing of a TRANSFORM_SUBSTRUCTURE substructure failed
> Sep 17 09:15:19 destgd0h003661 charon: 10[ENC]   parsing of a PROPOSAL_SUBSTRUCTURE substructure failed
> Sep 17 09:15:19 destgd0h003661 charon: 10[ENC] payload type SECURITY_ASSOCIATION could not be parsed
> Sep 17 09:15:19 destgd0h003661 charon: 10[IKE] IKE_SA_INIT response with message ID 0 processing failed
> Sep 17 09:15:23 destgd0h003661 charon: 11[IKE] retransmit 1 of request with message ID 0
> Sep 17 09:15:23 destgd0h003661 charon: 11[NET] sending packet: from 192.168.30.51[500] to 192.168.30.254[500]
> Sep 17 09:15:23 destgd0h003661 charon: 12[NET] received packet: from 192.168.30.254[500] to 192.168.30.51[500]
> Sep 17 09:15:23 destgd0h003661 charon: 12[ENC]   length of TRANSFORM_ATTRIBUTE substructure list invalid
> Sep 17 09:15:23 destgd0h003661 charon: 12[ENC]   parsing of a TRANSFORM_SUBSTRUCTURE substructure failed
> Sep 17 09:15:23 destgd0h003661 charon: 12[ENC]   parsing of a PROPOSAL_SUBSTRUCTURE substructure failed
> Sep 17 09:15:23 destgd0h003661 charon: 12[ENC] payload type SECURITY_ASSOCIATION could not be parsed
> Sep 17 09:15:23 destgd0h003661 charon: 12[IKE] IKE_SA_INIT response with message ID 0 processing failed
> Sep 17 09:15:30 destgd0h003661 charon: 13[IKE] retransmit 2 of request with message ID 0
> Sep 17 09:15:30 destgd0h003661 charon: 13[NET] sending packet: from 192.168.30.51[500] to 192.168.30.254[500]
> Sep 17 09:15:30 destgd0h003661 charon: 14[NET] received packet: from 192.168.30.254[500] to 192.168.30.51[500]
> Sep 17 09:15:30 destgd0h003661 charon: 14[ENC]   length of TRANSFORM_ATTRIBUTE substructure list invalid
> Sep 17 09:15:30 destgd0h003661 charon: 14[ENC]   parsing of a TRANSFORM_SUBSTRUCTURE substructure failed
> Sep 17 09:15:30 destgd0h003661 charon: 14[ENC]   parsing of a PROPOSAL_SUBSTRUCTURE substructure failed
> Sep 17 09:15:30 destgd0h003661 charon: 14[ENC] payload type SECURITY_ASSOCIATION could not be parsed
> Sep 17 09:15:30 destgd0h003661 charon: 14[IKE] IKE_SA_INIT response with message ID 0 processing failed
> Sep 17 09:15:33 destgd0h003661 avahi-daemon[2672]: dbus-protocol.c: Too many objects for client ':1.13', client request failed.
> 
> 
> 
> 
> 
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
>> Sent: Freitag, 17. September 2010 20:33
>> To: Groebl, Laurence (Laurence)
>> Cc: users at lists.strongswan.org
>> Subject: Re: [strongSwan] IKEv2 tunnel establishment, 
>> initiator does not repond
>>
>> Hello Laurence,
>>
>> a strongSwan log would really help. The only strange thing 
>> that I see in the wireshark response is
>>
>>                  Transform ID: ENCR_AES_CBC (12)
>>                  RESERVED TO IANA (7424): <too big (128 bytes)>
>>
>> Is this a wrong encoding of the AES key size???
>>
>> Regards
>>
>> Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list