[strongSwan] IKE_SA_INIT response with notification data missing

Mon Apr 16 13:34:05 CEST 2018

Thanks Andreas, will take a look at it. Is there any reason why UDP checksum in the packet shows as wrong in the wireshark?

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, April 16, 2018 5:04 AM
To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapulal at oracle.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] IKE_SA_INIT response with notification data missing

Hi Balaji,

RFC 4739 "Multiple Authenticaton Exchanges in IKEv2"

   https://tools.ietf.org/html/rfc4739#section-3.1

defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as

3.1.  MULTIPLE_AUTH_SUPPORTED Notify Payload

    The MULTIPLE_AUTH_SUPPORTED notification is included in the
    IKE_SA_INIT response or the first IKE_AUTH request to indicate that
    the peer supports this specification.  The Notify Message Type is
    MULTIPLE_AUTH_SUPPORTED (16404).  The Protocol ID and SPI Size fields
    MUST be set to zero, and there is no data associated with this Notify
    type.

So I don't understand why you expect notification data?

Regards

Andreas

On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote:
> Dear users,
>
> I am trying to establish a IKEv2/IPsec tunnel from a security gateway 
> towards strongswan with strongswan acting as a responder. In response 
> to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT 
> response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with 
> notification data missing. I have attached the wireshark. It would be 
> great if someone can explain why this behavior.
>
> [IKEv2]$ ipsec --version
>
> Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64
>
> Institute for Internet Technologies and Applications
>
> University of Applied Sciences Rapperswil, Switzerland
>
> See 'ipsec --copyright' for copyright information.
>
> The following is the configuration.
>
> config setup
>
>          charondebug=all
>
> conn %default
>
>      keyingtries=1
>
>      keyexchange=ikev2
>
>      reauth=no
>
> conn psk
>
>          left=172.16.55.62
>
>          leftsourceip=%config%
>
>          leftfirewall=no
>
>          leftauth=psk
>
>          leftsubnet=172.16.0.0/16
>
>          right=172.16.135.192
>
>          rightid=172.16.135.192
>
>          rightsubnet=172.16.0.0/16
>
>          rightauth=psk
>
>          esp=3des-aes-sha1-md5-modp1024
>
>          ike=3des-sha1-md5-modp1024
>
>          auto=add
>
>          type=tunnel
>
> Thanks,
>
> Balaji
>

--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==