[strongSwan] invalid CPI length in IPCOMP proposal?

Igor j at owind.com
Tue Nov 4 17:57:26 CET 2014 

Hi, all

I got a Cisco router set up EZVPN client connect to Strongswan, but failed at:

invalid CPI length in IPCOMP proposal

Google for no result, thanks for any advice for this.

-------------------------------------------------------------------

The conf like:

conn vpnc
        keyexchange=ikev1
        aggressive=yes
        type=tunnel
        auto=add
        installpolicy=yes
        keyingtries=3
        ike=aes128-md5-modp1024
        esp=aes128-md5
        forceencaps=yes
        leftauth=psk
        rightauth=psk
        rightauth2=xauth-radius
        compress=no
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=%ippool2
        rightsubnet=10.8.7.0/24
        ikelifetime=12h
        lifetime=12h
        rekeymargin=9m
        rekey=no
        reauth=no
        dpddelay=15
        dpdtimeout=10

Detail error log:

Nov  5 00:48:01 02[IKE] received NAT-T (RFC 3947) vendor ID
Nov  5 00:48:01 02[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Nov  5 00:48:01 02[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov  5 00:48:01 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov  5 00:48:01 02[IKE] received DPD vendor ID
Nov  5 00:48:01 02[IKE] received XAuth vendor ID
Nov  5 00:48:01 02[ENC] received unknown vendor ID:
f7:0d:87:d4:de:42:0c:6d:f4:5c:9d:39:37:40:15:d3
Nov  5 00:48:01 02[IKE] received Cisco Unity vendor ID
Nov  5 00:48:01 02[IKE] xx.xx.xx.xx is initiating a Aggressive Mode IKE_SA
Nov  5 00:48:01 02[CFG] looking for XAuthInitPSK peer configs matching
y.y.y.y...xx.xx.xx.xx[gwbeta]
Nov  5 00:48:01 02[CFG] selected peer config "vpnc"
Nov  5 00:48:01 02[ENC] generating AGGRESSIVE response 0 [ SA KE No ID
NAT-D NAT-D HASH V V V ]
Nov  5 00:48:01 02[NET] sending packet: from y.y.y.y[500] to
xx.xx.xx.xx[500] (380 bytes)
Nov  5 00:48:01 15[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (124 bytes)
Nov  5 00:48:01 15[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D
N(INITIAL_CONTACT) ]
Nov  5 00:48:01 15[IKE] remote host is behind NAT
Nov  5 00:48:01 15[ENC] generating TRANSACTION request 2671101433 [
HASH CPRQ(X_USER X_PWD) ]
Nov  5 00:48:01 15[NET] sending packet: from y.y.y.y[4500] to
xx.xx.xx.xx[4500] (76 bytes)
Nov  5 00:48:01 16[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (76 bytes)
Nov  5 00:48:01 16[ENC] parsed TRANSACTION response 2671101433 [ HASH
CPRP(X_USER X_PWD) ]
Nov  5 00:48:01 16[CFG] sending RADIUS Access-Request to server 'primary'
Nov  5 00:48:01 16[CFG] received RADIUS Access-Accept from server 'primary'
Nov  5 00:48:01 16[IKE] XAuth authentication of 'testuser' successful
Nov  5 00:48:01 16[ENC] generating TRANSACTION request 350747585 [
HASH CPS(X_STATUS) ]
Nov  5 00:48:01 16[NET] sending packet: from y.y.y.y[4500] to
xx.xx.xx.xx[4500] (76 bytes)
Nov  5 00:48:01 01[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (76 bytes)
Nov  5 00:48:01 01[ENC] parsed TRANSACTION response 350747585 [ HASH
CPA(X_STATUS) ]
Nov  5 00:48:01 01[IKE] IKE_SA vpnc[96] established between
y.y.y.y[y.y.y.y]...xx.xx.xx.xx[gwbeta]
Nov  5 00:48:01 01[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (380 bytes)
Nov  5 00:48:01 01[ENC] unknown attribute type (28692)
Nov  5 00:48:01 01[ENC] unknown attribute type (28693)
Nov  5 00:48:01 01[ENC] unknown attribute type (28695)
Nov  5 00:48:01 01[ENC] parsed TRANSACTION request 1327801295 [ HASH
CPRQ(ADDR MASK (28692) (28693) (28695) DNS DNS NBNS NBNS U_SPLITINC
U_SPLITDNS U_DEFDOM U_SAVEPWD U_LOCALLAN U_PFS U_BKPSRV VER U_BANNER
U_DDNSHOST) ]
Nov  5 00:48:01 01[IKE] peer requested virtual IP %any
Nov  5 00:48:01 01[CFG] acquired existing lease for address 10.8.7.10
in pool 'ippool2'
Nov  5 00:48:01 01[IKE] assigning virtual IP 10.8.7.10 to peer 'testuser'
Nov  5 00:48:01 01[CFG] sending RADIUS Accounting-Request to server 'primary'
Nov  5 00:48:02 01[CFG] received RADIUS Accounting-Response from
server 'primary'
Nov  5 00:48:02 01[ENC] generating TRANSACTION response 1327801295 [
HASH CPRP(ADDR DNS DNS) ]
Nov  5 00:48:02 01[NET] sending packet: from y.y.y.y[4500] to
xx.xx.xx.xx[4500] (92 bytes)
Nov  5 00:48:02 04[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (1292 bytes)
Nov  5 00:48:02 04[ENC] invalid CPI length in IPCOMP proposal
Nov  5 00:48:02 04[ENC] PROPOSAL_SUBSTRUCTURE verification failed
Nov  5 00:48:02 04[ENC] SECURITY_ASSOCIATION_V1 verification failed
Nov  5 00:48:02 04[ENC] could not decrypt payloads
Nov  5 00:48:02 04[IKE] message verification failed
Nov  5 00:48:02 04[ENC] generating INFORMATIONAL_V1 request 2220378385
[ HASH N(PLD_MAL) ]
Nov  5 00:48:02 04[NET] sending packet: from y.y.y.y[4500] to
xx.xx.xx.xx[4500] (76 bytes)
Nov  5 00:48:02 04[IKE] QUICK_MODE request with message ID 1435944569
processing failed
Nov  5 00:48:02 03[NET] received packet: from xx.xx.xx.xx[4500] to
y.y.y.y[4500] (1276 bytes)
Nov  5 00:48:02 03[ENC] invalid CPI length in IPCOMP proposal
Nov  5 00:48:02 03[ENC] PROPOSAL_SUBSTRUCTURE verification failed
Nov  5 00:48:02 03[ENC] SECURITY_ASSOCIATION_V1 verification failed
Nov  5 00:48:02 03[ENC] could not decrypt payloads
Nov  5 00:48:02 03[IKE] message verification failed
Nov  5 00:48:02 03[ENC] generating INFORMATIONAL_V1 request 163067200
[ HASH N(PLD_MAL) ]
Nov  5 00:48:02 03[NET] sending packet: from y.y.y.y[4500] to
xx.xx.xx.xx[4500] (76 bytes)
Nov  5 00:48:02 03[IKE] QUICK_MODE request with message ID 2575404586
processing failed

Bests,
-Igor

More information about the Users mailing list