[strongSwan] Can't connect to peer network(showing INVALID_SYNTAX error)

李雄飞 imiskolee at gmail.com
Sun Apr 8 11:50:56 CEST 2018


hi,All:

i am trying to create a vpn tunle with strongswan(peer network is VFrame
platform),but its has a issue. below is detail.

can someone ask me some questions:

1 what's mean INVALID_SYNTAX error?
1.1 i already put /var/log/syslog below for you check.
1.2 i already put tcpdump result of udp:500 log blow for you check.
1.3 i already put terimal std output beblow for you check.
2. any cule of the error?
3. maybe other issue.
















*VPN Configurtion:IKE Phase 1 Proposal:Exchange Mode: IKEV2DH Group: Group
2Encryption Method: 3desAuthentication Method: sha1IK2 Phase 2
Proposal:Protocol: ESPDH Group: n/aEncryption Method: AES-256Authentication
Method: SHA-256*


==========================

strongswan version:

# ipsec --version
# Linux strongSwan U5.6.2/K4.4.0-119-generic

==========================

ipsec.conf


config setup
    charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2,
enc 2, lib 2"
conn %default
   ikelifetime=8h
   keylife=8h
   rekeymargin=3m
   authby=psk
   keyexchange=ikev2
   mobike=no
   ike=3des-sha-modp2048!
   esp=aes256-sha256
conn net-net
   left=159.*.*.*
   #leftsubnet=10.0.0.1
   leftsubnet=159.*.*.*/32
   leftid=bindo
   right=4.*.*.*
   rightsubnet=64.*.*.*/32
   rightid=4.*.*.*
   auto=add


==========================


std output:

initiating IKE_SA net-net[2] to 4.*.*.*
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
sending packet: from 159.*.*.*[500] to 4.*.*.*[500] (316 bytes)
received packet: from 4.*.*.*[500] to 159.*.*.*[500] (337 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP)
V ]
received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:
fe:1d:68:ba:f3:08:96:6f:00:01
received 1 cert requests for an unknown ca
authentication of '159.*.*.*' (myself) with pre-shared key
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(EAP_ONLY) ]
sending packet: from 159.*.*.*[500] to 4.*.*.*[500] (220 bytes)
received packet: from 4.*.*.*[500] to 159.*.*.*[500] (68 bytes)
parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
*received INVALID_SYNTAX notify error*
establishing connection 'net-net' failed


*strongswan mailman can't allow big message more than(100KB),so i put to my
gist for detail log:
https://gist.github.com/imiskolee/3db0e47cc6ec4cbb76e1d3209dde92f9
<https://gist.github.com/imiskolee/3db0e47cc6ec4cbb76e1d3209dde92f9>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180408/e82cc445/attachment-0001.html>


More information about the Users mailing list