[strongSwan] Tunnels are fluctuating in case of ppp connection
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jul 28 17:12:34 CEST 2015
So can you show me the corresponding strongSwan server log?
Andreas
On 07/28/2015 02:33 PM, Nitin Agarwal wrote:
> Hi Andreas
>
> On server side, I am using :-
> Linux strongSwan U4.6.2/
>
> And, on modem side :-
> Linux[Debian, Voyage] strongSwan U4.4.1
>
>
> *Best Regards*
> *Nitin Agarwal*
> *Team Leader R&D*
> *Symstream Technology Group*
> M +91 9818893018
> _nitin.agarwal at symstream.com <mailto:nitin.agarwal at symstream.com>_ |
> Skype: nitin_symstream
>
>
>
>
>
>
>
> On Tue, Jul 28, 2015 at 3:22 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Nitin,
>
> what VPN product is running on the server, since 1) it produces
> notifications in an invalid format and 2) it probably speaks
> IKEv1 only, because it replies with INVALID_MAJOR_VERSION to
> an IKEv2 request?
>
> Best regards
>
> Andreas
>
> On 28.07.2015 10:40, Nitin Agarwal wrote:
>
> Hi Noel
>
> I have done the changes, But still the tunnels are down for upto 10
> minutes, sometime.
> This is what I got from Syslog, and these errors are different at
> different times :-
>
> 1)
> Jul 28 09:28:36 alix6f2-619703 charon: 12[IKE] initiating IKE_SA
> 52.64.105.113_cnc[2] to 52.74.240.246
> Jul 28 09:28:36 alix6f2-619703 charon: 12[ENC] generating
> IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 28 09:28:36 alix6f2-619703 charon: 12[NET] sending packet: from
> 100.116.187.100[500] to 52.74.240.246[500]
> Jul 28 09:28:37 alix6f2-619703 charon: 16[NET] received packet: from
> 52.74.240.246[500] to 100.116.187.100[500]
> Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] invalid notify data
> length for INVALID_MAJOR_VERSION (20)
> Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] *NOTIFY payload
> verification failed *
> Jul 28 09:28:37 alix6f2-619703 charon: 16[IKE] IKE_SA_INIT
> response with
> message ID 0 processing failed
> Jul 28 09:28:40 alix6f2-619703 charon: 13[IKE] retransmit 1 of
> request
> with message ID 0
>
>
> 2) Jul 28 09:29:40 alix6f2-619703 charon: 13[ENC] generating
> IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 28 09:29:40 alix6f2-619703 charon: 13[NET] sending packet: from
> 100.116.187.100[500] to 52.74.240.246[500]
> Jul 28 09:29:41 alix6f2-619703 charon: 16[NET] received packet: from
> 52.74.240.246[500] to 100.116.187.100[500]
> Jul 28 09:29:41 alix6f2-619703 charon: 16[ENC] parsed IKE_SA_INIT
> response 0 [ N(INVAL_SYN) ]
> Jul 28 09:29:41 alix6f2-619703 charon: 16[IKE]*received
> INVALID_SYNTAX
> notify error *
>
>
> can anybody please suggest why this is happening ?
>
>
>
>
> *Best Regards*
> *Nitin Agarwal*
>
>
>
>
>
>
> On Wed, Jul 22, 2015 at 3:59 PM, Noel Kuntze
> <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>
> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>
> wrote:
>
>
> Hello Nitin,
>
> You're using IKEv2, which uses a global timeout setting in
> strongswan.conf,
> not dpdtimeout.
> - From the man page for ipsec.conf:
> dpdtimeout = 150s | <time>
> defines the timeout interval, after which all
> connections to a peer are deleted in case of inactivity.
>> This only
> applies to IKEv1, in IKEv2 the default retransmission
> timeout applies, as every exchange is used to
>> detect
> dead peers.
>
> Look at the "IKEv2 RETRANSMISSION" section of the man page for
> strongswan.conf.
>
> Alternatively, use IKEv1.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 22.07.2015 um 07:26 schrieb Nitin Agarwal:
>> Hello Guys
>
>> I am trying to achieve stable tunnel connectivity between
>> two systems.
>> My System 1 is a modem having ppp connection.And, System 2
>> is a server.
>
>> On System 1, IP use to change and whenever IP changes,
>> sometime system takes upto 20 minutes to form stable tunnel.
>> Sometime is just 50 seconds also. PPP connection takes around 25
>> seconds to release old IP and acquire new one.
>
>> I am attaching the existing configuration.
>> Please suggest, if I need to modify the configurations or
>> I am missing something.
>
>
>
>
> > *Best Regards*
> > *Nitin Agarwal*
>
>
>
>
>
>
>
>
> > This message (and any associated files) is intended only
>> for the
> use of the individual or entity to which it is addressed and may
> contain information that is confidential, subject to
>> copyright or
> constitutes a trade secret. If you are not the intended
>> recipient
> you are hereby notified that any dissemination, copying or
> distribution of this message, or files associated with this
>> message,
> is strictly prohibited. If you have received this message in
>> error,
> please notify Symstream Technology Group immediately by
>> replying to
> the message and deleting it from your computer. Messages
>> sent to and
> from us may be monitored. Internet communications cannot be
> guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or
>> incomplete,
> or contain viruses. Therefore, we do not accept
>> responsibility for
> any errors or omissions that are present in this message, or any
> attachment, that have arisen as a result of e-mail
>> transmission. If
> verification is required, please request a hard-copy
>> version. Any
> views or opinions presented are solely those of the author
>> and do
> not necessarily represent those of the company.
> > -------------------------
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
>> <mailto:Users at lists.strongswan.org>
>> <mailto:Users at lists.strongswan.org
>> <mailto:Users at lists.strongswan.org>>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
> This message (and any associated files) is intended only for the
> use of
> the individual or entity to which it is addressed and may contain
> information that is confidential, subject to copyright or
> constitutes a
> trade secret. If you are not the intended recipient you are hereby
> notified that any dissemination, copying or distribution of this
> message, or files associated with this message, is strictly
> prohibited.
> If you have received this message in error, please notify Symstream
> Technology Group immediately by replying to the message and
> deleting it
> from your computer. Messages sent to and from us may be monitored.
> Internet communications cannot be guaranteed to be secure or
> error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive
> late or incomplete, or contain viruses. Therefore, we do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a
> hard-copy
> version. Any views or opinions presented are solely those of the
> author
> and do not necessarily represent those of the company.
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen
> andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution!
> www.strongswan.org <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
> This message (and any associated files) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is confidential, subject to copyright or constitutes a
> trade secret. If you are not the intended recipient you are hereby
> notified that any dissemination, copying or distribution of this
> message, or files associated with this message, is strictly prohibited.
> If you have received this message in error, please notify Symstream
> Technology Group immediately by replying to the message and deleting it
> from your computer. Messages sent to and from us may be monitored.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed, arrive
> late or incomplete, or contain viruses. Therefore, we do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a hard-copy
> version. Any views or opinions presented are solely those of the author
> and do not necessarily represent those of the company.
> ------------------------------------------------------------------------
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150728/413731ee/attachment-0001.bin>
More information about the Users
mailing list