[strongSwan] invalid IKE header

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 2 19:05:38 CEST 2012 

Hello,

the Windows Server 2008 R2 client seems to send a malformed IKE header.
In order to debug the situation could you increase the debug level
by defining

  charondebug="net 3, enc 3"

in the config setup section of ipsec.conf

Regards

Andreas

On 07/02/2012 05:01 PM, Boleslav Sykora wrote:
> Hello,
> 
>  
> 
> I am trying to run strongSwan on a Ubuntu 12.04 instance in Amazon VPC,
> using a compiled version  strongswan-5.0.0.tar.gz and connect from
> Windows Server 2008 R2 client. I am using certificates for both sides.
> The 206.248.156.92  is my WS 2008 client What’s My IP. The vpngw has two
> interfaces, one 10.20.1.232 which is NATed to an Elastic IP and a
> private interface 10.20.2.117 on the subnet where I want the tunnel to
> have access. I implemented your VPC suggestions. I have been fighting
> with this for over a week, and previously with an older strongSwan
> version. Please help.
> 
>  
> 
> Here is my /usr/local/etc/ipsec.conf  config:
> 
> config setup
> 
>  
> 
> ca cloudCA
> 
>        cacert=caCert.pem
> 
>        auto=add
> 
>  
> 
> conn %default
> 
>        # keyexchange=ikev2
> 
>        ikelifetime=60m
> 
>        keylife=20m
> 
>        rekeymargin=3m
> 
>        keyingtries=1
> 
>  
> 
> conn nat-cert
> 
>        left=10.20.1.232
> 
>        leftsubnet=10.20.2.0/24
> 
>        leftcert=vpngwCert.pem
> 
>        leftfirewall=yes
> 
>        right=%any
> 
>        rightsubnet=10.1.20.0/24
> 
>        rightsourceip=10.20.2.192/26
> 
>        rightid="C=US, O=Cloud1215 CN=student.lt1215.com"
> 
>        auto=add
> 
>  
> 
> The /var/log/syslog file:
> 
> Jul  2 14:51:13 vpngw charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.0.0, Linux 3.2.0-26-virtual, x86_64)
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL] listening on interfaces:
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]   eth0
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]     10.20.1.232
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]     fe80::81f:b5ff:fe7e:9f68
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]   eth1
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]     10.20.2.117
> 
> Jul  2 14:51:13 vpngw charon: 00[KNL]     fe80::81f:b5ff:fe49:c917
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading ca certificates from
> '/usr/local/etc/ipsec.d/cacerts'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded ca certificate "C=US,
> O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.pem'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded ca certificate "C=US,
> O=Cloud1215, CN=cloudCA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading aa certificates from
> '/usr/local/etc/ipsec.d/aacerts'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading ocsp signer certificates
> from '/usr/local/etc/ipsec.d/ocspcerts'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading attribute certificates
> from '/usr/local/etc/ipsec.d/acerts'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading crls from
> '/usr/local/etc/ipsec.d/crls'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG] loading secrets from
> '/usr/local/etc/ipsec.secrets'
> 
> Jul  2 14:51:13 vpngw charon: 00[CFG]   loaded RSA private key from
> '/usr/local/etc/ipsec.d/private/vpngwKey.pem'
> 
> Jul  2 14:51:13 vpngw charon: 00[DMN] loaded plugins: charon aes des
> sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
> resolve socket-default stroke updown xauth-generic
> 
> Jul  2 14:51:13 vpngw charon: 00[JOB] spawning 16 worker threads
> 
> Jul  2 14:51:13 vpngw charon: 12[CFG] received stroke: add ca 'cloudCA'
> 
> Jul  2 14:51:13 vpngw charon: 12[CFG] added ca 'cloudCA'
> 
> Jul  2 14:51:13 vpngw charon: 14[CFG] received stroke: add connection
> 'nat-cert'
> 
> Jul  2 14:51:13 vpngw charon: 14[CFG]   loaded certificate "C=US,
> O=Cloud1215, CN=vpngw.lt1215.com" from 'vpngwCert.pem'
> 
> Jul  2 14:51:13 vpngw charon: 14[CFG]   id '10.20.1.232' not confirmed
> by certificate, defaulting to 'C=US, O=Cloud1215, CN=vpngw.lt1215.com'
> 
> Jul  2 14:51:13 vpngw charon: 14[CFG] added configuration 'nat-cert'
> 
> Jul  2 14:51:13 vpngw charon: 14[CFG] adding virtual IP address pool
> 'nat-cert': 10.20.2.192/26
> 
> Jul  2 14:51:23 vpngw charon: 05[ENC] header verification failed
> 
> Jul  2 14:51:23 vpngw charon: 05[NET] received invalid IKE header from
> 206.248.156.92 - ignored
> 
> Jul  2 14:51:24 vpngw charon: 05[ENC] header verification failed
> 
> Jul  2 14:51:24 vpngw charon: 05[NET] received invalid IKE header from
> 206.248.156.92 - ignored

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list