[strongSwan] Log every few seconds appeared "not enough input to parse rule 0 IKE_SPI"

Chopin Ngo consatan at gmail.com
Sun Apr 7 06:01:15 CEST 2013 

Hi,all

I use strongswan 5.0.2 in debian 6, here is the config

============================================================
strongswan server
LAN IP: 192.168.100.200/24
DG: 192.168.100.1
WAN IP: 1.1.1.1

# /etc/ipsec.conf
config setup
conn psk
        auto=add
        authby=secret
        keyexchange=ikev1
        aggressive=yes
        modeconfig=push
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftauth=psk
        right=%any
        rightsourceip=10.0.0.200
        rightauth=psk
        rightauth2=xauth

# /etc/ipsec.secrets
user : XAUTH "pass"
2.2.2.2 : PSK "pass"

# /etc/strongswan.conf
charon {
  threads = 16
  dns1 = 8.8.8.8
  dns2 = 8.8.4.4
  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
}

# ipsec statusall
Status of IKE charon daemon (weakSwan 5.0.2, Linux 2.6.32-5-amd64, x86_64):
  uptime: 17 minutes, since Apr 07 11:31:17 2013
  malloc: sbrk 401408, mmap 0, used 237472, free 163936
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 3
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc
cmac hmac attr kernel-netlink resolve socket-default stroke updown
xauth-generic unity
Virtual IP pools (size/online/offline):
  10.0.0.200: 1/1/0
Listening IP addresses:
  192.168.100.200
Connections:
         psk:  %any...%any  IKEv1 Aggressive
         psk:   local:  [192.168.100.200] uses pre-shared key authentication
         psk:   remote: uses pre-shared key authentication
         psk:   remote: uses XAuth authentication: any
         psk:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
         psk[1]: ESTABLISHED 17 minutes ago,
192.168.100.200[192.168.100.200]...2.2.2.2[client]
         psk[1]: Remote XAuth identity: user
         psk[1]: IKEv1 SPIs: 10e5b73cb5de2748_i adabd73d6c43d71a_r*,
pre-shared key reauthentication in 2 hours
         psk[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         psk{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd10078b_i daeaedfe_o
         psk{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 25 minutes
         psk{1}:   0.0.0.0/0 === 10.0.0.200/32
============================================================

VPN client is vpnc in debian 6

============================================================
vpnc client
LAN IP: 192.168.1.77/24
DG: 192.168.1.1
WAN IP: 2.2.2.2

# /etc/vpnc/config
IPSec gateway 1.1.1.1
IPSec ID client
IPSec secret pass
IKE Authmode psk
Xauth username user
Xauth password pass
============================================================

it's working, but some warnings on log file

============================================================
11:31:17 vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2,
Linux 2.6.32-5-amd64, x86_64)
11:31:17 vpn charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
11:31:17 vpn charon: 00[CFG]   loaded ca certificate "C=CN, O=StrongSwan,
CN=ipsec.xxx.com" from '/etc/ipsec.d/cacerts/caCert.pem'
11:31:17 vpn charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
11:31:17 vpn charon: 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
11:31:17 vpn charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
11:31:17 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
11:31:17 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
11:31:17 vpn charon: 00[CFG]   loaded EAP secret for user
11:31:17 vpn charon: 00[CFG]   loaded IKE secret for 2.2.2.2
11:31:17 vpn charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem
openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic unity
11:31:17 vpn charon: 00[JOB] spawning 16 worker threads
11:31:17 vpn charon: 06[CFG] received stroke: add connection 'psk'
11:31:17 vpn charon: 06[CFG] left nor right host is our side, assuming
left=local
11:31:17 vpn charon: 06[CFG] adding virtual IP address pool 10.0.0.200
11:31:17 vpn charon: 06[CFG] added configuration 'psk'
11:31:23 vpn charon: 07[NET] received packet: from 2.2.2.2[25722] to
192.168.100.200[500] (1282 bytes)
11:31:23 vpn charon: 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V
V V V V V V ]
11:31:23 vpn charon: 07[IKE] received XAuth vendor ID
11:31:23 vpn charon: 07[IKE] received Cisco Unity vendor ID
11:31:23 vpn charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n
vendor ID
11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor
ID
11:31:23 vpn charon: 07[ENC] received unknown vendor ID:
27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88
11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor
ID
11:31:23 vpn charon: 07[IKE] received DPD vendor ID
11:31:23 vpn charon: 07[IKE] 2.2.2.2 is initiating a Aggressive Mode IKE_SA
11:31:23 vpn charon: 07[CFG] looking for XAuthInitPSK peer configs matching
192.168.100.200...2.2.2.2[client]
11:31:23 vpn charon: 07[CFG] selected peer config "psk"
11:31:23 vpn charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No ID
NAT-D NAT-D HASH V V V ]
11:31:23 vpn charon: 07[NET] sending packet: from 192.168.100.200[500] to
2.2.2.2[25722] (392 bytes)
11:31:23 vpn charon: 09[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (172 bytes)
11:31:23 vpn charon: 09[ENC] parsed AGGRESSIVE request 0 [ HASH
N(INITIAL_CONTACT) V V NAT-D NAT-D ]
11:31:23 vpn charon: 09[IKE] local host is behind NAT, sending keep alives
11:31:23 vpn charon: 09[IKE] remote host is behind NAT
11:31:23 vpn charon: 09[ENC] generating TRANSACTION request 2654103914 [
HASH CP ]
11:31:23 vpn charon: 09[NET] sending packet: from 192.168.100.200[4500] to
2.2.2.2[15275] (76 bytes)
11:31:23 vpn charon: 11[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (92 bytes)
11:31:23 vpn charon: 11[ENC] parsed TRANSACTION response 2654103914 [ HASH
CP ]
11:31:23 vpn charon: 11[IKE] XAuth authentication of 'user' successful
11:31:23 vpn charon: 11[ENC] generating TRANSACTION request 2343375310 [
HASH CP ]
11:31:23 vpn charon: 11[NET] sending packet: from 192.168.100.200[4500] to
2.2.2.2[15275] (76 bytes)
11:31:23 vpn charon: 12[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (76 bytes)
11:31:23 vpn charon: 12[ENC] parsed TRANSACTION response 2343375310 [ HASH
CP ]
11:31:23 vpn charon: 12[IKE] IKE_SA psk[1] established between
192.168.100.200[192.168.100.200]...2.2.2.2[client]
11:31:23 vpn charon: 12[IKE] scheduling reauthentication in 9843s
11:31:23 vpn charon: 12[IKE] maximum IKE_SA lifetime 10383s
11:31:23 vpn charon: 10[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (172 bytes)
11:31:23 vpn charon: 10[ENC] parsed TRANSACTION request 2262595363 [ HASH
CP ]
11:31:23 vpn charon: 10[IKE] peer requested virtual IP %any
11:31:23 vpn charon: 10[CFG] assigning new lease to 'user'
11:31:23 vpn charon: 10[IKE] assigning virtual IP 10.0.0.200 to peer 'user'
11:31:23 vpn charon: 10[ENC] generating TRANSACTION response 2262595363 [
HASH CP ]
11:31:23 vpn charon: 10[NET] sending packet: from 192.168.100.200[4500] to
2.2.2.2[15275] (92 bytes)
11:31:23 vpn charon: 13[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (620 bytes)
11:31:23 vpn charon: 13[ENC] parsed QUICK_MODE request 117587104 [ HASH SA
No ID ID ]
11:31:23 vpn charon: 13[IKE] received 2147483s lifetime, configured 3600s
11:31:23 vpn charon: 13[ENC] generating QUICK_MODE response 117587104 [
HASH SA No ID ID ]
11:31:23 vpn charon: 13[NET] sending packet: from 192.168.100.200[4500] to
2.2.2.2[15275] (188 bytes)
11:31:23 vpn charon: 08[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (60 bytes)
11:31:23 vpn charon: 08[ENC] parsed QUICK_MODE request 117587104 [ HASH ]
11:31:23 vpn charon: 08[IKE] CHILD_SA psk{1} established with SPIs
cd10078b_i daeaedfe_o and TS 0.0.0.0/0 === 10.0.0.200/32
11:31:23 vpn charon: 06[NET] received packet: from 2.2.2.2[15275] to
192.168.100.200[4500] (92 bytes)
11:31:23 vpn charon: 06[ENC] parsed INFORMATIONAL_V1 request 2510066777 [
HASH N(DPD) ]
11:31:23 vpn charon: 06[ENC] generating INFORMATIONAL_V1 request 2638375961
[ HASH N(DPD_ACK) ]
11:31:23 vpn charon: 06[NET] sending packet: from 192.168.100.200[4500] to
2.2.2.2[15275] (92 bytes)
11:31:32 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
11:31:32 vpn charon: 01[ENC] header could not be parsed
11:31:32 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
ignored
11:31:41 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
11:31:41 vpn charon: 01[ENC] header could not be parsed
11:31:41 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
ignored
11:31:47 vpn charon: 10[IKE] sending keep alive to 2.2.2.2[15275]
11:31:56 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
11:31:56 vpn charon: 01[ENC] header could not be parsed
11:31:56 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
ignored
============================================================

How can I fixed it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130407/61754797/attachment.html>

More information about the Users mailing list