[strongSwan] Strongswan to Sonicwall 5500, INVALID_SYNTAX error establishing CHILD_SA

Harvinder Rupra harvinder.rupra at appliedconsultants.co.uk
Mon Apr 14 16:40:03 CEST 2014 

Hi We have a Strongswan 5.1.2 vpn to Sonicwall 5500.When we initiate the VPN from the Strongswan end we get a "received INVALID_SYNTAX notify error".However when we initiate it from the Sonicwall end all is well.Can anyone see why we are getting the INVALID_SYNTAX notify error.Details are provided below.

regards

HarvinderInitiate VPN from Strongswan end.ipsec up data-centerHere is the output from the charon.logApr 14 14:17:45 06[CFG] received stroke: initiate 'data-center'Apr 14 14:17:45 09[IKE] <data-center|6> initiating IKE_SA data-center[6] to xxx.xxx.xxx.34Apr 14 14:17:45 09[ENC] <data-center|6> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]Apr 14 14:17:45 09[NET] <data-center|6> sending packet: from xxx.xxx.xxx.156[500] to xxx.xxx.xxx.34[500] (536 bytes)Apr 14 14:17:45 08[NET] <data-center|6> received packet: from xxx.xxx.xxx.34[500] to xxx.xxx.xxx.156[500] (317 bytes)Apr 14 14:17:45 08[ENC] <data-center|6> parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]Apr 14 14:17:45 08[ENC] <data-center|6> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01Apr 14 14:17:45 08[IKE] <data-center|6> authentication of 'xxx.xxx.xxx.156' (myself) with pre-shared keyApr 14 14:17:45 08[IKE] <data-center|6> establishing CHILD_SA data-centerApr 14 14:17:45 08[ENC] <data-center|6> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) ]Apr 14 14:17:45 08[NET] <data-center|6> sending packet: from xxx.xxx.xxx.156[500] to xxx.xxx.xxx.34[500] (524 bytes)Apr 14 14:17:46 13[NET] <data-center|6> received packet: from xxx.xxx.xxx.34[500] to xxx.xxx.xxx.156[500] (68 bytes)Apr 14 14:17:46 13[ENC] <data-center|6> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]Apr 14 14:17:46 13[IKE] <data-center|6> received INVALID_SYNTAX notify errorHowever, If the Sonicwall initates the VPN all is well and we are able to use the tunnels created.The ouput from the charon.log is:Apr 14 15:10:40 15[NET] received packet: from xxx.xxx.xxx.34[500] to xxx.xxx.xxx.156[500] (312 bytes)Apr 14 15:10:40 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]Apr 14 15:10:40 15[ENC] received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01Apr 14 15:10:40 15[IKE] xxx.xxx.xxx.34 is initiating an IKE_SAApr 14 15:10:40 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]Apr 14 15:10:40 15[NET] sending packet: from xxx.xxx.xxx.156[500] to xxx.xxx.xxx.34[500] (308 bytes)Apr 14 15:10:40 05[NET] received packet: from xxx.xxx.xxx.34[500] to xxx.xxx.xxx.156[500] (196 bytes)Apr 14 15:10:40 05[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]Apr 14 15:10:40 05[CFG] looking for peer configs matching xxx.xxx.xxx.156[%any]...xxx.xxx.xxx.34[xxx.xxx.xxx.34]Apr 14 15:10:40 05[CFG] selected peer config 'data-center'Apr 14 15:10:40 05[IKE] authentication of 'xxx.xxx.xxx.34' with pre-shared key successfulApr 14 15:10:40 05[IKE] authentication of 'xxx.xxx.xxx.156' (myself) with pre-shared keyApr 14 15:10:40 05[IKE] IKE_SA data-center[2] established between xxx.xxx.xxx.156[xxx.xxx.xxx.156]...xxx.xxx.xxx.34[xxx.xxx.xxx.34]Apr 14 15:10:40 05[IKE] scheduling reauthentication in 86209sApr 14 15:10:40 05[IKE] maximum IKE_SA lifetime 86389sOur config for this VPN is:strongswan.confcharon {        cisco_unity = yes        # number of worker threads in charon        threads = 16        # send strongswan vendor ID?        # send_vendor_id = yes        #install_routes = no        plugins {                sql {                        # loglevel to log into sql database                        loglevel = -1                        # URI to the database                        # database = sqlite:///path/to/file.db                        # database = mysql://user:password@localhost/database                }        }        # ...      filelog {            /var/log/charon.log {            # loggers to files also accept the append option to open files in            # append mode at startup (default is yes)            #append = no            # the default loglevel for all daemon subsystems (defaults to 1).            #default = 2            time_format = %b %e %T            ike_name = yes            flush_line = yes            }ipsec.conf# ipsec.conf - strongSwan IPsec configuration fileconfig setup        #cachecrls=yes        strictcrlpolicy=noconn %default        ikelifetime=60m        keylife=20m        rekeymargin=3m        keyingtries=1        keyexchange=ikev2        authby=secretinclude /etc/ipsec.d/conns/*.confdata-center.confconn data-center        left=xxx.xxx.xxx.156        leftsubnet=10.0.33.0/24        #leftfirewall=yes        #rightsendcert=no        lefthostaccess=yes        leftsourceip=10.0.33.17        right=xxx.xxx.xxx.34        rightsubnet=192.35.1.51/32,192.35.1.52/32,192.35.1.53/32,10.19.52.52/32,10.19.52.53/32,10.19.52.60/32        authby=secret        keyexchange=ikev2        keyingtries=%forever        ike=3des-md5-modp1024        esp=3des-md5-modp1024        ikelifetime=86400s        keylife=3600s        mobike=no        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140414/515ab4db/attachment.html>

More information about the Users mailing list