[strongSwan] IKEv1 + RSA not working with Mac OS X

Daniel Tschinder dane.tschi at gmx.at
Tue Nov 13 12:31:10 CET 2012


Thanks for the info.

As far as i see it's all about udp fragmentation that raccoon on mac forces. So strongswan is not supporting this as far as i can see.
But there is also not much information about this feature on the net. Seems every vendor is cooking his own soup. :(

I will try with a "shorter" certificate as a workaround, and see if it works.

Am 11.11.2012 um 22:17 schrieb Tobias Koenig <tobias.koenig at wlan-partner.com>:

> Hi Daniel
> 
> I assume you're using OSX >=10.8, since apple changed something with the
> racoon daemon, there are known problems with certificates. I did some
> research and tests a few weeks ago while running into the same problem
> and could narrow it down to either the size of the certificates and/or
> to the included information.
> 
> There are ways to get it working, but you'll probably end up creating
> new certificates. Therefor I personally decided to use PSK/XAUTH
> with OSX (from Mountain Lion) and IOS 6.
> 
> Check the following links for further infos:
> https://discussions.apple.com/thread/4158642?start=15&tstart=0
> 
> and maybe those:
> https://discussions.apple.com/thread/4139538?start=0&tstart=0
> http://www.astaro.org/gateway-products/vpn-site-site-remote-access/44432-cisco-vpn-not-working-apple-ios-6-a.html
> 
> There also was already a discussion on the ML about this (I still
> couldn't figure why Martin Willi's certificates are working with
> 2048bit):
> http://www.mail-archive.com/users@lists.strongswan.org/msg05105.html
> 
> Cheers
> 
> Tobias
> 
> Am Sat, 10 Nov 2012 14:41:32 +0100
> schrieb Daniel Tschinder <dane.tschi at gmx.at>:
> 
>> Hello,
>> 
>> I have strongswan working since two years for IKEv2 and Windows7. As 
>> IKEv2 is not well supported by clients, I'm now trying to add support 
>> for IKEv1 and testing with the native Mac OS X Client from 10.8.
>> 
>> But now I'm stuck at some weird problem which I seem not to be able
>> to solve by myself. The Problem is (as far as I can see) that either
>> the MAC is sending an invalid message or the server is not able to
>> decrypt. [...]
>> Nov 10 13:49:28 gateway charon: 11[ENC] parsing ENCRYPTED_V1 payload 
>> finished
>> Nov 10 13:49:28 gateway charon: 11[ENC] process payload of type
>> ENCRYPTED_V1 Nov 10 13:49:28 gateway charon: 11[ENC] found an
>> encryption payload Nov 10 13:49:28 gateway charon: 11[ENC] decryption
>> failed, invalid length Nov 10 13:49:28 gateway charon: 11[ENC] could
>> not decrypt payloads Nov 10 13:49:28 gateway charon: 11[IKE]
>> integrity check failed [...]
>> 
>> The Certificates seem to work, as the same one used on the MAC works
>> on Windows with IKEv2.
>> 
>> I tried a lot of different settings in ipsec.conf but non of them
>> seem to have any impact on the problem.
>> 
>> Hopefully anyone can help me out.
>> I appreciate any suggestion, as I'm at the end of my knowledge.
>> 
>> Thanks in advance.
>> 
>> ipsec.conf:
>> 
>> config setup
>>          charondebug="dmn 3, mgr 3, ike 1, chd 3, job 3, cfg 3, knl
>> 3, net 1, asn 1, enc 1, lib 3, esp 3, tls 3"
>> 
>> conn win7
>>         reauth=no
>>         ikelifetime=8h
>>         left=%defaultroute
>>         leftcert=peer2_gateway_cert.pem
>>         leftsubnet=10.0.59.0/24
>>         right=%any
>>         rightsourceip=10.0.51.0/24
>>         keyexchange=ikev2
>>         auto=add
>> 
>> conn macosx
>>         xauth=server
>>         keyexchange=ikev1
>>         left=%defaultroute
>>         leftcert=peer2_gateway_cert.pem
>>         leftsubnet=10.0.59.0/24
>>         leftauth=pubkey
>>         right=%any
>>         rightsourceip=10.0.52.0/24
>>         rightauth=pubkey
>>         rightauth2=xauth
>>         auto=add
>> 
>> ipsec.secret:
>> 
>> : RSA peer2_gateway_key.pem "password"
>> user : XAUTH "password"
>> 
>> And here is the log:
>> Nov 10 14:25:13 gateway charon: 05[MGR] checkout IKE_SA by message
>> Nov 10 14:25:13 gateway charon: 05[MGR] created IKE_SA (unnamed)[1]
>> Nov 10 14:25:13 gateway charon: 05[NET] received packet: from 
>> <client-ip>[56616] to <server-ip>[500]
>> Nov 10 14:25:13 gateway charon: 05[ENC] parsed ID_PROT request 0 [ SA
>> V V V V V V V V V V V V V V ]
>> Nov 10 14:25:13 gateway charon: 05[CFG] looking for an ike config for 
>> <server-ip>...<client-ip>
>> Nov 10 14:25:13 gateway charon: 05[CFG] ike config match: 2
>> (<server-ip> <client-ip>)
>> Nov 10 14:25:13 gateway charon: 05[CFG]   candidate: %any...%any,
>> prio 2 Nov 10 14:25:13 gateway charon: 05[CFG] ike config match: 2
>> (<server-ip> <client-ip>)
>> Nov 10 14:25:13 gateway charon: 05[CFG]   candidate: %any...%any,
>> prio 2 Nov 10 14:25:13 gateway charon: 05[CFG] found matching ike
>> config: %any...%any with prio 2
>> Nov 10 14:25:13 gateway charon: 05[IKE] received NAT-T (RFC 3947)
>> vendor ID Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-08 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-07 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-06 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-05 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-04 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-03 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-02 vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received 
>> draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received XAuth vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] received Cisco Unity vendor ID
>> Nov 10 14:25:13 gateway charon: 05[ENC] received unknown vendor ID: 
>> 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
>> Nov 10 14:25:13 gateway charon: 05[IKE] received DPD vendor ID
>> Nov 10 14:25:13 gateway charon: 05[IKE] <client-ip> is initiating a
>> Main Mode IKE_SA
>> Nov 10 14:25:13 gateway charon: 05[IKE] <client-ip> is initiating a
>> Main Mode IKE_SA
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> DIFFIE_HELLMAN_GROUP found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> INTEGRITY_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> DIFFIE_HELLMAN_GROUP found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> INTEGRITY_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   no acceptable 
>> ENCRYPTION_ALGORITHM found
>> Nov 10 14:25:13 gateway charon: 05[CFG] selecting proposal:
>> Nov 10 14:25:13 gateway charon: 05[CFG]   proposal matches
>> Nov 10 14:25:13 gateway charon: 05[CFG] received proposals: 
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
>> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, 
>> IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
>> IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, 
>> IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, 
>> IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>> Nov 10 14:25:13 gateway charon: 05[CFG] configured proposals: 
>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192
>> Nov 10 14:25:13 gateway charon: 05[CFG] selected proposal: 
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> Nov 10 14:25:13 gateway charon: 05[ENC] generating ID_PROT response 0
>> [ SA V V V ]
>> Nov 10 14:25:13 gateway charon: 05[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:13 gateway charon: 07[JOB] next event in 29s 996ms,
>> waiting Nov 10 14:25:13 gateway charon: 05[MGR] checkin IKE_SA
>> (unnamed)[1] Nov 10 14:25:13 gateway charon: 05[MGR] check-in of
>> IKE_SA successful. Nov 10 14:25:13 gateway charon: 04[MGR] checkout
>> IKE_SA by message Nov 10 14:25:13 gateway charon: 04[MGR] IKE_SA
>> (unnamed)[1] successfully checked out
>> Nov 10 14:25:13 gateway charon: 04[NET] received packet: from 
>> <client-ip>[56616] to <server-ip>[500]
>> Nov 10 14:25:13 gateway charon: 04[ENC] parsed ID_PROT request 0 [ KE
>> No NAT-D NAT-D ]
>> Nov 10 14:25:13 gateway charon: 04[LIB] size of DH secret exponent:
>> 1535 bits
>> Nov 10 14:25:13 gateway charon: 04[IKE] remote host is behind NAT
>> Nov 10 14:25:13 gateway charon: 04[IKE] sending cert request for
>> "C=DE, ST=Berlin, O=<Organization>, CN=<Name> CA, E=<email>"
>> Nov 10 14:25:13 gateway charon: 04[ENC] generating ID_PROT response 0
>> [ KE No CERTREQ NAT-D NAT-D ]
>> Nov 10 14:25:13 gateway charon: 04[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:13 gateway charon: 04[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:13 gateway charon: 04[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:13 gateway charon: 03[MGR] checkout IKE_SA by message
>> Nov 10 14:25:13 gateway charon: 03[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:13 gateway charon: 03[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:13 gateway charon: 03[ENC] decryption failed, invalid
>> length Nov 10 14:25:13 gateway charon: 03[ENC] could not decrypt
>> payloads Nov 10 14:25:13 gateway charon: 03[IKE] integrity check
>> failed Nov 10 14:25:13 gateway charon: 03[ENC] generating
>> INFORMATIONAL_V1 request 374731955 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:13 gateway charon: 03[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:13 gateway charon: 03[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:13 gateway charon: 03[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:13 gateway charon: 03[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:13 gateway charon: 02[MGR] checkout IKE_SA by message
>> Nov 10 14:25:13 gateway charon: 02[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:13 gateway charon: 02[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:13 gateway charon: 02[ENC] decryption failed, invalid
>> length Nov 10 14:25:13 gateway charon: 02[ENC] could not decrypt
>> payloads Nov 10 14:25:13 gateway charon: 02[IKE] integrity check
>> failed Nov 10 14:25:13 gateway charon: 02[ENC] generating
>> INFORMATIONAL_V1 request 1955652691 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:13 gateway charon: 02[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:13 gateway charon: 02[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:13 gateway charon: 02[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:13 gateway charon: 02[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:16 gateway charon: 01[MGR] checkout IKE_SA by message
>> Nov 10 14:25:16 gateway charon: 01[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:16 gateway charon: 01[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:16 gateway charon: 01[ENC] decryption failed, invalid
>> length Nov 10 14:25:16 gateway charon: 01[ENC] could not decrypt
>> payloads Nov 10 14:25:16 gateway charon: 01[IKE] integrity check
>> failed Nov 10 14:25:16 gateway charon: 01[ENC] generating
>> INFORMATIONAL_V1 request 1337183494 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:16 gateway charon: 01[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:16 gateway charon: 01[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:16 gateway charon: 01[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:16 gateway charon: 01[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:16 gateway charon: 13[MGR] checkout IKE_SA by message
>> Nov 10 14:25:16 gateway charon: 13[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:16 gateway charon: 13[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:16 gateway charon: 13[ENC] decryption failed, invalid
>> length Nov 10 14:25:16 gateway charon: 13[ENC] could not decrypt
>> payloads Nov 10 14:25:16 gateway charon: 13[IKE] integrity check
>> failed Nov 10 14:25:16 gateway charon: 13[ENC] generating
>> INFORMATIONAL_V1 request 4186574038 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:16 gateway charon: 13[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:16 gateway charon: 13[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:16 gateway charon: 13[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:16 gateway charon: 13[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:19 gateway charon: 06[MGR] checkout IKE_SA by message
>> Nov 10 14:25:19 gateway charon: 06[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:19 gateway charon: 06[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:19 gateway charon: 06[ENC] decryption failed, invalid
>> length Nov 10 14:25:19 gateway charon: 06[ENC] could not decrypt
>> payloads Nov 10 14:25:19 gateway charon: 06[IKE] integrity check
>> failed Nov 10 14:25:19 gateway charon: 06[ENC] generating
>> INFORMATIONAL_V1 request 2768949833 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:19 gateway charon: 06[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:19 gateway charon: 06[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:19 gateway charon: 06[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:19 gateway charon: 06[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:19 gateway charon: 15[MGR] checkout IKE_SA by message
>> Nov 10 14:25:19 gateway charon: 15[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:19 gateway charon: 15[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:19 gateway charon: 15[ENC] decryption failed, invalid
>> length Nov 10 14:25:19 gateway charon: 15[ENC] could not decrypt
>> payloads Nov 10 14:25:19 gateway charon: 15[IKE] integrity check
>> failed Nov 10 14:25:19 gateway charon: 15[ENC] generating
>> INFORMATIONAL_V1 request 909043028 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:19 gateway charon: 15[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:19 gateway charon: 15[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:19 gateway charon: 15[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:19 gateway charon: 15[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:22 gateway charon: 11[MGR] checkout IKE_SA by message
>> Nov 10 14:25:22 gateway charon: 11[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:22 gateway charon: 11[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:22 gateway charon: 11[ENC] decryption failed, invalid
>> length Nov 10 14:25:22 gateway charon: 11[ENC] could not decrypt
>> payloads Nov 10 14:25:22 gateway charon: 11[IKE] integrity check
>> failed Nov 10 14:25:22 gateway charon: 11[ENC] generating
>> INFORMATIONAL_V1 request 2987174101 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:22 gateway charon: 11[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:22 gateway charon: 11[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:22 gateway charon: 11[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:22 gateway charon: 11[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:22 gateway charon: 05[MGR] checkout IKE_SA by message
>> Nov 10 14:25:22 gateway charon: 05[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:22 gateway charon: 05[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:22 gateway charon: 05[ENC] decryption failed, invalid
>> length Nov 10 14:25:22 gateway charon: 05[ENC] could not decrypt
>> payloads Nov 10 14:25:22 gateway charon: 05[IKE] integrity check
>> failed Nov 10 14:25:22 gateway charon: 05[ENC] generating
>> INFORMATIONAL_V1 request 2459254495 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:22 gateway charon: 05[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:22 gateway charon: 05[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:22 gateway charon: 05[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:22 gateway charon: 05[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:34 gateway charon: 04[MGR] checkout IKE_SA by message
>> Nov 10 14:25:34 gateway charon: 04[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:34 gateway charon: 04[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:34 gateway charon: 04[ENC] decryption failed, invalid
>> length Nov 10 14:25:34 gateway charon: 04[ENC] could not decrypt
>> payloads Nov 10 14:25:34 gateway charon: 04[IKE] integrity check
>> failed Nov 10 14:25:34 gateway charon: 04[ENC] generating
>> INFORMATIONAL_V1 request 1662440368 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:34 gateway charon: 04[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:34 gateway charon: 04[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:34 gateway charon: 04[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:34 gateway charon: 04[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:34 gateway charon: 03[MGR] checkout IKE_SA by message
>> Nov 10 14:25:34 gateway charon: 03[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:34 gateway charon: 03[NET] received packet: from 
>> <client-ip>[56633] to <server-ip>[4500]
>> Nov 10 14:25:34 gateway charon: 03[ENC] decryption failed, invalid
>> length Nov 10 14:25:34 gateway charon: 03[ENC] could not decrypt
>> payloads Nov 10 14:25:34 gateway charon: 03[IKE] integrity check
>> failed Nov 10 14:25:34 gateway charon: 03[ENC] generating
>> INFORMATIONAL_V1 request 3160971383 [ HASH N(INVAL_HASH) ]
>> Nov 10 14:25:34 gateway charon: 03[NET] sending packet: from 
>> <server-ip>[500] to <client-ip>[56616]
>> Nov 10 14:25:34 gateway charon: 03[IKE] ID_PROT request with message
>> ID 0 processing failed
>> Nov 10 14:25:34 gateway charon: 03[MGR] checkin IKE_SA (unnamed)[1]
>> Nov 10 14:25:34 gateway charon: 03[MGR] check-in of IKE_SA successful.
>> Nov 10 14:25:43 gateway charon: 07[JOB] got event, queuing job for
>> execution Nov 10 14:25:43 gateway charon: 07[JOB] no events, waiting
>> Nov 10 14:25:43 gateway charon: 02[MGR] checkout IKE_SA
>> Nov 10 14:25:43 gateway charon: 02[MGR] IKE_SA (unnamed)[1]
>> successfully checked out
>> Nov 10 14:25:43 gateway charon: 02[JOB] deleting half open IKE_SA
>> after timeout
>> Nov 10 14:25:43 gateway charon: 02[MGR] checkin and destroy IKE_SA 
>> (unnamed)[1]
>> Nov 10 14:25:43 gateway charon: 02[MGR] check-in and destroy of
>> IKE_SA successful
>> 
>> 
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list