[strongSwan] Tunnels are fluctuating in case of ppp connection
Andreas Steffen
andreas.steffen at strongswan.org
Thu Jul 30 10:06:26 CEST 2015
Actually IKE retransmissions are the only remedy against an unstable
noisy channel. You cannot beat Claude Shannon ;-)
Regards
Andreas
On 30.07.2015 09:47, Nitin Agarwal wrote:
> Hi Andreas
>
> So, what could be the possible solution ?
>
> This is basically using 3G network.
> Sometime I also see CCP [Compression Control Protocol] issue.
> For that I am making noccp in ppp connection. Other then that, anything
> which can be done ?
>
>
>
> *Best Regards*
> *Nitin Agarwal*
> *Team Leader R&D*
> *Symstream Technology Group*
> M +91 9818893018
> _nitin.agarwal at symstream.com <mailto:nitin.agarwal at symstream.com>_ |
> Skype: nitin_symstream
>
>
>
>
>
> On Thu, Jul 30, 2015 at 12:52 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Nitin,
>
> for this time span I just see
>
> Jul 27 23:28:37 s5-gw-sing charon: 03[IKE] 27.97.11.233 is
> initiating an IKE_SA
> Jul 27 23:28:41 s5-gw-sing charon: 04[IKE] 27.97.11.233 is
> initiating an IKE_SA
> Jul 27 23:28:49 s5-gw-sing charon: 04[IKE] 27.97.11.233 is
> initiating an IKE_SA
> Jul 27 23:29:01 s5-gw-sing charon: 01[IKE] 27.97.11.233 is
> initiating an IKE_SA
> Jul 27 23:29:07 s5-gw-sing charon: 03[JOB] deleting half open IKE_SA
> after timeout
>
> I suspect that the IKE_SA_INIT response from the server gets somehow
> garbled by the transmission channel, so that the VPN client cannot
> parse the incoming IKE message correctly. This would explain why the
> errors differ from message to message.
>
> Best regards
>
> Andreas
>
> On 30.07.2015 08:35, Nitin Agarwal wrote:
>
> Hi
>
> I am attaching server [AWS] side logs [messages] .
> Server is 10 hours behind from modem.
> And, server is connected to many modems, this particular modem
> is 619703
> [10.4.39.36].
>
>
>
> *Best Regards*
> *Nitin Agarwal*
> _nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>
> <mailto:nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>>_ |
> Skype: nitin_symstream
>
>
>
>
>
> On Tue, Jul 28, 2015 at 8:42 PM, Andreas Steffen
> <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>>
> wrote:
>
> So can you show me the corresponding strongSwan server log?
>
> Andreas
>
> On 07/28/2015 02:33 PM, Nitin Agarwal wrote:
> > Hi Andreas
> >
> > On server side, I am using :-
> > Linux strongSwan U4.6.2/
> >
> > And, on modem side :-
> > Linux[Debian, Voyage] strongSwan U4.4.1
> >
> >
> > *Best Regards*
> > *Nitin Agarwal*
> > *Team Leader R&D*
> > *Symstream Technology Group*
> > M +91 9818893018
> > _nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>
> <mailto:nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>>
> <mailto:nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>
> <mailto:nitin.agarwal at symstream.com
> <mailto:nitin.agarwal at symstream.com>>>_ |
> > Skype: nitin_symstream
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jul 28, 2015 at 3:22 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>>>
> > wrote:
> >
> > Hi Nitin,
> >
> > what VPN product is running on the server, since 1)
> it produces
> > notifications in an invalid format and 2) it
> probably speaks
> > IKEv1 only, because it replies with
> INVALID_MAJOR_VERSION to
> > an IKEv2 request?
> >
> > Best regards
> >
> > Andreas
> >
> > On 28.07.2015 10:40, Nitin Agarwal wrote:
> >
> > Hi Noel
> >
> > I have done the changes, But still the tunnels
> are down
> for upto 10
> > minutes, sometime.
> > This is what I got from Syslog, and these errors are
> different at
> > different times :-
> >
> > 1)
> > Jul 28 09:28:36 alix6f2-619703 charon: 12[IKE]
> initiating
> IKE_SA
> > 52.64.105.113_cnc[2] to 52.74.240.246
> > Jul 28 09:28:36 alix6f2-619703 charon: 12[ENC]
> generating
> > IKE_SA_INIT
> > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jul 28 09:28:36 alix6f2-619703 charon: 12[NET]
> sending
> packet: from
> > 100.116.187.100[500] to 52.74.240.246[500]
> > Jul 28 09:28:37 alix6f2-619703 charon: 16[NET]
> received
> packet: from
> > 52.74.240.246[500] to 100.116.187.100[500]
> > Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC]
> invalid
> notify data
> > length for INVALID_MAJOR_VERSION (20)
> > Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC]
> *NOTIFY
> payload
> > verification failed *
> > Jul 28 09:28:37 alix6f2-619703 charon: 16[IKE]
> IKE_SA_INIT
> > response with
> > message ID 0 processing failed
> > Jul 28 09:28:40 alix6f2-619703 charon: 13[IKE]
> retransmit
> 1 of
> > request
> > with message ID 0
> >
> >
> > 2) Jul 28 09:29:40 alix6f2-619703 charon:
> 13[ENC] generating
> > IKE_SA_INIT
> > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > Jul 28 09:29:40 alix6f2-619703 charon: 13[NET]
> sending
> packet: from
> > 100.116.187.100[500] to 52.74.240.246[500]
> > Jul 28 09:29:41 alix6f2-619703 charon: 16[NET]
> received
> packet: from
> > 52.74.240.246[500] to 100.116.187.100[500]
> > Jul 28 09:29:41 alix6f2-619703 charon: 16[ENC]
> parsed
> IKE_SA_INIT
> > response 0 [ N(INVAL_SYN) ]
> > Jul 28 09:29:41 alix6f2-619703 charon:
> 16[IKE]*received
> > INVALID_SYNTAX
> > notify error *
> >
> >
> > can anybody please suggest why this is happening ?
> >
> >
> >
> >
> > *Best Regards*
> > *Nitin Agarwal*
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 22, 2015 at 3:59 PM, Noel Kuntze
> > <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>>
> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>>>
> > <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>
> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>
> <mailto:noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>>>>>
> > wrote:
> >
> >
> > Hello Nitin,
> >
> > You're using IKEv2, which uses a global timeout setting in
> > strongswan.conf,
> > not dpdtimeout.
> > - From the man page for ipsec.conf:
> > dpdtimeout = 150s | <time>
> > defines the timeout interval, after which all
> > connections to a peer are deleted in case of inactivity.
> >> This only
> > applies to IKEv1, in IKEv2 the default retransmission
> > timeout applies, as every exchange is used to
> >> detect
> > dead peers.
> >
> > Look at the "IKEv2 RETRANSMISSION" section of the man
> page for
> > strongswan.conf.
> >
> > Alternatively, use IKEv1.
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F
> 63EC 6658
> >
> > Am 22.07.2015 um 07:26 schrieb Nitin Agarwal:
> >> Hello Guys
> >
> >> I am trying to achieve stable tunnel connectivity between
> >> two systems.
> >> My System 1 is a modem having ppp connection.And, System 2
> >> is a server.
> >
> >> On System 1, IP use to change and whenever IP changes,
> >> sometime system takes upto 20 minutes to form
> stable tunnel.
> >> Sometime is just 50 seconds also. PPP
> connection takes
> around 25
> >> seconds to release old IP and acquire new one.
> >
> >> I am attaching the existing configuration.
> >> Please suggest, if I need to modify the configurations or
> >> I am missing something.
> >
> >
> >
> >
> > > *Best Regards*
> > > *Nitin Agarwal*
> >
> >
> >
> >
> >
> >
> >
> >
> > > This message (and any associated files) is intended only
> >> for the
> > use of the individual or entity to which it is addressed
> and may
> > contain information that is confidential, subject to
> >> copyright or
> > constitutes a trade secret. If you are not the intended
> >> recipient
> > you are hereby notified that any dissemination, copying or
> > distribution of this message, or files associated with this
> >> message,
> > is strictly prohibited. If you have received this message in
> >> error,
> > please notify Symstream Technology Group immediately by
> >> replying to
> > the message and deleting it from your computer. Messages
> >> sent to and
> > from us may be monitored. Internet communications cannot be
> > guaranteed to be secure or error-free as information
> could be
> > intercepted, corrupted, lost, destroyed, arrive late or
> >> incomplete,
> > or contain viruses. Therefore, we do not accept
> >> responsibility for
> > any errors or omissions that are present in this
> message, or any
> > attachment, that have arisen as a result of e-mail
> >> transmission. If
> > verification is required, please request a hard-copy
> >> version. Any
> > views or opinions presented are solely those of the author
> >> and do
> > not necessarily represent those of the company.
> > > -------------------------
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> >> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>>
> >> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> >> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>>>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> > This message (and any associated files) is
> intended only
> for the
> > use of
> > the individual or entity to which it is
> addressed and may
> contain
> > information that is confidential, subject to
> copyright or
> > constitutes a
> > trade secret. If you are not the intended
> recipient you
> are hereby
> > notified that any dissemination, copying or
> distribution
> of this
> > message, or files associated with this message,
> is strictly
> > prohibited.
> > If you have received this message in error,
> please notify
> Symstream
> > Technology Group immediately by replying to the
> message and
> > deleting it
> > from your computer. Messages sent to and from us
> may be
> monitored.
> > Internet communications cannot be guaranteed to
> be secure or
> > error-free
> > as information could be intercepted, corrupted,
> lost,
> destroyed,
> > arrive
> > late or incomplete, or contain viruses.
> Therefore, we do
> not accept
> > responsibility for any errors or omissions that are
> present in this
> > message, or any attachment, that have arisen as
> a result
> of e-mail
> > transmission. If verification is required,
> please request a
> > hard-copy
> > version. Any views or opinions presented are
> solely those
> of the
> > author
> > and do not necessarily represent those of the
> company.
> >
>
> ------------------------------------------------------------------------
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>>
> >https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > --
> >
> ======================================================================
> > Andreas Steffen
> > andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>>
> > strongSwan - the Open Source VPN Solution!
> > www.strongswan.org <http://www.strongswan.org>
> <http://www.strongswan.org>
> <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> >
> ===========================================================[ITA-HSR]==
> >
> >
> >
> > This message (and any associated files) is intended only
> for the use of
> > the individual or entity to which it is addressed and may
> contain
> > information that is confidential, subject to copyright or
> constitutes a
> > trade secret. If you are not the intended recipient you
> are hereby
> > notified that any dissemination, copying or distribution
> of this
> > message, or files associated with this message, is
> strictly prohibited.
> > If you have received this message in error, please notify
> Symstream
> > Technology Group immediately by replying to the message
> and deleting it
> > from your computer. Messages sent to and from us may be
> monitored.
> > Internet communications cannot be guaranteed to be secure
> or error-free
> > as information could be intercepted, corrupted, lost,
> destroyed, arrive
> > late or incomplete, or contain viruses. Therefore, we do
> not accept
> > responsibility for any errors or omissions that are
> present in this
> > message, or any attachment, that have arisen as a result
> of e-mail
> > transmission. If verification is required, please request
> a hard-copy
> > version. Any views or opinions presented are solely those
> of the author
> > and do not necessarily represent those of the company.
> >
> ------------------------------------------------------------------------
>
> --
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>
> strongSwan - the Open Source VPN Solution!
> www.strongswan.org <http://www.strongswan.org>
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
>
> ===========================================================[ITA-HSR]==
>
>
>
> This message (and any associated files) is intended only for the
> use of
> the individual or entity to which it is addressed and may contain
> information that is confidential, subject to copyright or
> constitutes a
> trade secret. If you are not the intended recipient you are hereby
> notified that any dissemination, copying or distribution of this
> message, or files associated with this message, is strictly
> prohibited.
> If you have received this message in error, please notify Symstream
> Technology Group immediately by replying to the message and
> deleting it
> from your computer. Messages sent to and from us may be monitored.
> Internet communications cannot be guaranteed to be secure or
> error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive
> late or incomplete, or contain viruses. Therefore, we do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a
> hard-copy
> version. Any views or opinions presented are solely those of the
> author
> and do not necessarily represent those of the company.
> ------------------------------------------------------------------------
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
> This message (and any associated files) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is confidential, subject to copyright or constitutes a
> trade secret. If you are not the intended recipient you are hereby
> notified that any dissemination, copying or distribution of this
> message, or files associated with this message, is strictly prohibited.
> If you have received this message in error, please notify Symstream
> Technology Group immediately by replying to the message and deleting it
> from your computer. Messages sent to and from us may be monitored.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed, arrive
> late or incomplete, or contain viruses. Therefore, we do not accept
> responsibility for any errors or omissions that are present in this
> message, or any attachment, that have arisen as a result of e-mail
> transmission. If verification is required, please request a hard-copy
> version. Any views or opinions presented are solely those of the author
> and do not necessarily represent those of the company.
> ------------------------------------------------------------------------
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150730/9b00b581/attachment-0001.bin>
More information about the Users
mailing list