[strongSwan] IKE_SA_INIT response with notification data missing
Andreas Steffen
andreas.steffen at strongswan.org
Mon Apr 16 11:04:15 CEST 2018
Hi Balaji,
RFC 4739 "Multiple Authenticaton Exchanges in IKEv2"
https://tools.ietf.org/html/rfc4739#section-3.1
defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as
3.1. MULTIPLE_AUTH_SUPPORTED Notify Payload
The MULTIPLE_AUTH_SUPPORTED notification is included in the
IKE_SA_INIT response or the first IKE_AUTH request to indicate that
the peer supports this specification. The Notify Message Type is
MULTIPLE_AUTH_SUPPORTED (16404). The Protocol ID and SPI Size fields
MUST be set to zero, and there is no data associated with this Notify
type.
So I don't understand why you expect notification data?
Regards
Andreas
On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote:
> Dear users,
>
> I am trying to establish a IKEv2/IPsec tunnel from a security gateway
> towards strongswan with strongswan acting as a responder. In response to
> IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT response
> with a Notify payload of MULTIPLE_AUTH_SUPPORTED with notification data
> missing. I have attached the wireshark. It would be great if someone can
> explain why this behavior.
>
> [IKEv2]$ ipsec --version
>
> Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64
>
> Institute for Internet Technologies and Applications
>
> University of Applied Sciences Rapperswil, Switzerland
>
> See 'ipsec --copyright' for copyright information.
>
> The following is the configuration.
>
> config setup
>
> charondebug=all
>
> conn %default
>
> keyingtries=1
>
> keyexchange=ikev2
>
> reauth=no
>
> conn psk
>
> left=172.16.55.62
>
> leftsourceip=%config%
>
> leftfirewall=no
>
> leftauth=psk
>
> leftsubnet=172.16.0.0/16
>
> right=172.16.135.192
>
> rightid=172.16.135.192
>
> rightsubnet=172.16.0.0/16
>
> rightauth=psk
>
> esp=3des-aes-sha1-md5-modp1024
>
> ike=3des-sha1-md5-modp1024
>
> auto=add
>
> type=tunnel
>
> Thanks,
>
> Balaji
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180416/3cd34f37/attachment.bin>
More information about the Users
mailing list