[strongSwan] Log every few seconds appeared "not enough input to parse rule 0 IKE_SPI"

Chopin Ngo consatan at gmail.com
Mon Apr 8 11:41:14 CEST 2013


Hi, all

Here is debug level 4 log about this warnings, can somebody help me??

Apr  8 17:11:23 vpn charon: 10[NET] received packet => 5 bytes @
0x7ffd4b7fb3b0
Apr  8 17:11:23 vpn charon: 10[NET]    0: 00 00 00 00
FF                                   .....
Apr  8 17:11:23 vpn charon: 10[NET] received packet: from 2.2.2.2[4500] to
192.168.100.200[4500]
Apr  8 17:11:23 vpn charon: 10[ENC] parsing header of message
Apr  8 17:11:23 vpn charon: 10[ENC] parsing HEADER payload, 1 bytes left
Apr  8 17:11:23 vpn charon: 10[ENC] parsing payload from => 1 bytes @
0x12a6ea4
Apr  8 17:11:23 vpn charon: 10[ENC]    0:
FF                                               .
Apr  8 17:11:23 vpn charon: 10[ENC]   parsing rule 0 IKE_SPI
Apr  8 17:11:23 vpn charon: 10[ENC]   not enough input to parse rule 0
IKE_SPI
Apr  8 17:11:23 vpn charon: 10[ENC] header could not be parsed
Apr  8 17:11:23 vpn charon: 10[NET] received invalid IKE header from
2.2.2.2 - ignored
Apr  8 17:11:23 vpn charon: 10[NET] waiting for data on sockets


2013/4/7 Chopin Ngo <consatan at gmail.com>

> Hi,all
>
> I use strongswan 5.0.2 in debian 6, here is the config
>
> ============================================================
> strongswan server
> LAN IP: 192.168.100.200/24
> DG: 192.168.100.1
> WAN IP: 1.1.1.1
>
> # /etc/ipsec.conf
> config setup
> conn psk
>         auto=add
>         authby=secret
>         keyexchange=ikev1
>         aggressive=yes
>         modeconfig=push
>         left=%defaultroute
>         leftsubnet=0.0.0.0/0
>         leftauth=psk
>         right=%any
>         rightsourceip=10.0.0.200
>         rightauth=psk
>         rightauth2=xauth
>
> # /etc/ipsec.secrets
> user : XAUTH "pass"
> 2.2.2.2 : PSK "pass"
>
> # /etc/strongswan.conf
> charon {
>   threads = 16
>   dns1 = 8.8.8.8
>   dns2 = 8.8.4.4
>   i_dont_care_about_security_and_use_aggressive_mode_psk = yes
> }
>
> # ipsec statusall
> Status of IKE charon daemon (weakSwan 5.0.2, Linux 2.6.32-5-amd64, x86_64):
>   uptime: 17 minutes, since Apr 07 11:31:17 2013
>   malloc: sbrk 401408, mmap 0, used 237472, free 163936
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf
> gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
> xauth-generic unity
> Virtual IP pools (size/online/offline):
>   10.0.0.200: 1/1/0
> Listening IP addresses:
>   192.168.100.200
> Connections:
>          psk:  %any...%any  IKEv1 Aggressive
>          psk:   local:  [192.168.100.200] uses pre-shared key
> authentication
>          psk:   remote: uses pre-shared key authentication
>          psk:   remote: uses XAuth authentication: any
>          psk:   child:  0.0.0.0/0 === dynamic TUNNEL
> Security Associations (1 up, 0 connecting):
>          psk[1]: ESTABLISHED 17 minutes ago,
> 192.168.100.200[192.168.100.200]...2.2.2.2[client]
>          psk[1]: Remote XAuth identity: user
>          psk[1]: IKEv1 SPIs: 10e5b73cb5de2748_i adabd73d6c43d71a_r*,
> pre-shared key reauthentication in 2 hours
>          psk[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>          psk{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd10078b_i daeaedfe_o
>          psk{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
> in 25 minutes
>          psk{1}:   0.0.0.0/0 === 10.0.0.200/32
> ============================================================
>
> VPN client is vpnc in debian 6
>
> ============================================================
> vpnc client
> LAN IP: 192.168.1.77/24
> DG: 192.168.1.1
> WAN IP: 2.2.2.2
>
> # /etc/vpnc/config
> IPSec gateway 1.1.1.1
> IPSec ID client
> IPSec secret pass
> IKE Authmode psk
> Xauth username user
> Xauth password pass
> ============================================================
>
> it's working, but some warnings on log file
>
> ============================================================
> 11:31:17 vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2,
> Linux 2.6.32-5-amd64, x86_64)
> 11:31:17 vpn charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> 11:31:17 vpn charon: 00[CFG]   loaded ca certificate "C=CN, O=StrongSwan,
> CN=ipsec.xxx.com" from '/etc/ipsec.d/cacerts/caCert.pem'
> 11:31:17 vpn charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> 11:31:17 vpn charon: 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> 11:31:17 vpn charon: 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> 11:31:17 vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 11:31:17 vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 11:31:17 vpn charon: 00[CFG]   loaded EAP secret for user
> 11:31:17 vpn charon: 00[CFG]   loaded IKE secret for 2.2.2.2
> 11:31:17 vpn charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem
> openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown xauth-generic unity
> 11:31:17 vpn charon: 00[JOB] spawning 16 worker threads
> 11:31:17 vpn charon: 06[CFG] received stroke: add connection 'psk'
> 11:31:17 vpn charon: 06[CFG] left nor right host is our side, assuming
> left=local
> 11:31:17 vpn charon: 06[CFG] adding virtual IP address pool 10.0.0.200
> 11:31:17 vpn charon: 06[CFG] added configuration 'psk'
> 11:31:23 vpn charon: 07[NET] received packet: from 2.2.2.2[25722] to
> 192.168.100.200[500] (1282 bytes)
> 11:31:23 vpn charon: 07[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V
> V V V V V V ]
> 11:31:23 vpn charon: 07[IKE] received XAuth vendor ID
> 11:31:23 vpn charon: 07[IKE] received Cisco Unity vendor ID
> 11:31:23 vpn charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
> 11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n
> vendor ID
> 11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor
> ID
> 11:31:23 vpn charon: 07[ENC] received unknown vendor ID:
> 27:f1:d6:32:df:a5:13:6f:72:25:aa:3f:6a:ef:a8:88
> 11:31:23 vpn charon: 07[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor
> ID
> 11:31:23 vpn charon: 07[IKE] received DPD vendor ID
> 11:31:23 vpn charon: 07[IKE] 2.2.2.2 is initiating a Aggressive Mode IKE_SA
> 11:31:23 vpn charon: 07[CFG] looking for XAuthInitPSK peer configs
> matching 192.168.100.200...2.2.2.2[client]
> 11:31:23 vpn charon: 07[CFG] selected peer config "psk"
> 11:31:23 vpn charon: 07[ENC] generating AGGRESSIVE response 0 [ SA KE No
> ID NAT-D NAT-D HASH V V V ]
> 11:31:23 vpn charon: 07[NET] sending packet: from 192.168.100.200[500] to
> 2.2.2.2[25722] (392 bytes)
> 11:31:23 vpn charon: 09[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (172 bytes)
> 11:31:23 vpn charon: 09[ENC] parsed AGGRESSIVE request 0 [ HASH
> N(INITIAL_CONTACT) V V NAT-D NAT-D ]
> 11:31:23 vpn charon: 09[IKE] local host is behind NAT, sending keep alives
> 11:31:23 vpn charon: 09[IKE] remote host is behind NAT
> 11:31:23 vpn charon: 09[ENC] generating TRANSACTION request 2654103914 [
> HASH CP ]
> 11:31:23 vpn charon: 09[NET] sending packet: from 192.168.100.200[4500] to
> 2.2.2.2[15275] (76 bytes)
> 11:31:23 vpn charon: 11[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (92 bytes)
> 11:31:23 vpn charon: 11[ENC] parsed TRANSACTION response 2654103914 [ HASH
> CP ]
> 11:31:23 vpn charon: 11[IKE] XAuth authentication of 'user' successful
> 11:31:23 vpn charon: 11[ENC] generating TRANSACTION request 2343375310 [
> HASH CP ]
> 11:31:23 vpn charon: 11[NET] sending packet: from 192.168.100.200[4500] to
> 2.2.2.2[15275] (76 bytes)
> 11:31:23 vpn charon: 12[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (76 bytes)
> 11:31:23 vpn charon: 12[ENC] parsed TRANSACTION response 2343375310 [
> HASH CP ]
> 11:31:23 vpn charon: 12[IKE] IKE_SA psk[1] established between
> 192.168.100.200[192.168.100.200]...2.2.2.2[client]
> 11:31:23 vpn charon: 12[IKE] scheduling reauthentication in 9843s
> 11:31:23 vpn charon: 12[IKE] maximum IKE_SA lifetime 10383s
> 11:31:23 vpn charon: 10[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (172 bytes)
> 11:31:23 vpn charon: 10[ENC] parsed TRANSACTION request 2262595363 [ HASH
> CP ]
> 11:31:23 vpn charon: 10[IKE] peer requested virtual IP %any
> 11:31:23 vpn charon: 10[CFG] assigning new lease to 'user'
> 11:31:23 vpn charon: 10[IKE] assigning virtual IP 10.0.0.200 to peer 'user'
> 11:31:23 vpn charon: 10[ENC] generating TRANSACTION response 2262595363 [
> HASH CP ]
> 11:31:23 vpn charon: 10[NET] sending packet: from 192.168.100.200[4500] to
> 2.2.2.2[15275] (92 bytes)
> 11:31:23 vpn charon: 13[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (620 bytes)
> 11:31:23 vpn charon: 13[ENC] parsed QUICK_MODE request 117587104 [ HASH SA
> No ID ID ]
> 11:31:23 vpn charon: 13[IKE] received 2147483s lifetime, configured 3600s
> 11:31:23 vpn charon: 13[ENC] generating QUICK_MODE response 117587104 [
> HASH SA No ID ID ]
> 11:31:23 vpn charon: 13[NET] sending packet: from 192.168.100.200[4500] to
> 2.2.2.2[15275] (188 bytes)
> 11:31:23 vpn charon: 08[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (60 bytes)
> 11:31:23 vpn charon: 08[ENC] parsed QUICK_MODE request 117587104 [ HASH ]
> 11:31:23 vpn charon: 08[IKE] CHILD_SA psk{1} established with SPIs
> cd10078b_i daeaedfe_o and TS 0.0.0.0/0 === 10.0.0.200/32
> 11:31:23 vpn charon: 06[NET] received packet: from 2.2.2.2[15275] to
> 192.168.100.200[4500] (92 bytes)
> 11:31:23 vpn charon: 06[ENC] parsed INFORMATIONAL_V1 request 2510066777 [
> HASH N(DPD) ]
> 11:31:23 vpn charon: 06[ENC] generating INFORMATIONAL_V1 request
> 2638375961 [ HASH N(DPD_ACK) ]
> 11:31:23 vpn charon: 06[NET] sending packet: from 192.168.100.200[4500] to
> 2.2.2.2[15275] (92 bytes)
> 11:31:32 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
> 11:31:32 vpn charon: 01[ENC] header could not be parsed
> 11:31:32 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
> ignored
> 11:31:41 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
> 11:31:41 vpn charon: 01[ENC] header could not be parsed
> 11:31:41 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
> ignored
> 11:31:47 vpn charon: 10[IKE] sending keep alive to 2.2.2.2[15275]
> 11:31:56 vpn charon: 01[ENC]   not enough input to parse rule 0 IKE_SPI
> 11:31:56 vpn charon: 01[ENC] header could not be parsed
> 11:31:56 vpn charon: 01[NET] received invalid IKE header from 2.2.2.2 -
> ignored
> ============================================================
>
> How can I fixed it?
>



-- 
智慧子使父亲喜乐。愚昧人藐视母亲。
              ----箴言 十五章20节
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130408/9de221ad/attachment.html>


More information about the Users mailing list