[strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid

Yogesh Purohit yogeshpurohit2 at gmail.com
Mon Oct 29 10:25:10 CET 2018 

Hi Andreas,

No it is not strongswan on peer end. I am using third party VPN.

So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
anything exceeding that can be Invalid length.

Configuration on my side is:

conn %default
        ikelifetime = 28800s
        type = tunnel
        lifetime = 3600s
        dpddelay = 30
        dpdaction = restart
        reauth = no
        mobike = no #disable mobike - no use case
conn 10.109.229.250_1.1.2.0/24-10.109.229.252_2.1.1.0/24
        left=10.109.229.250
        leftid=10.109.229.250
        rightid=10.109.229.252
        leftsubnet=1.1.2.0/24
        right=10.109.229.252
        rightsubnet=2.1.1.0/24
        authby=secret
        keyexchange = ikev2
        auto = add
        fragmentation = yes
        esp=aes256-sha1-modp2048
        ike=aes256-sha1-modp2048!


Thanks & Regards,
Yogesh


On Mon, Oct 29, 2018 at 1:39 PM Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Yogesh,
>
> are you using an unmodified strongSwan peer on the other side or
> a third party VPN product? If it is strongSwan, which version are
> you using? Could you also send the configuration of the CHILD SA?
>
> Regards
>
> Andreas
>
> On 29.10.2018 06:43, Yogesh Purohit wrote:
> > Adding subject line to my query
> >
> > On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit
> > <yogeshpurohit2 at gmail.com <mailto:yogeshpurohit2 at gmail.com>> wrote:
> >
> >     Hi Team,
> >
> >     I am trying to establish tunnel with my strongswan.
> >     But after receiving IKE_AUTH response my local strongswan end
> >     (initiator) rejects tunnel saying ' length of
> >     TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid'.
> >
> >     And I am unable to get the reason for the same. Because I have
> >     configured traffic selectors matching.
> >
> >     IKE_Auth response which is recived is of 252 bytes, whereas when my
> >     tunnel was established in other case IKE_AUTH response was of 204
> bytes.
> >     NOTE: I am trying the tunnel with PSK and version is IKEv2.
> >
> >     So is there fixed bytes of IKE_AUTH response which is expected by
> >     strongswan for PSK.
> >
> >     And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure
> >     list invalid' means, I tried finding it in RFC, but could not find
> >     the same.
> >
> >
> >     Thanks & Regards,
> >
> >     Yogesh Purohit
> >
> >
> >
> > --
> > Best Regards,
> >
> > Yogesh Purohit
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> HSR University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
>

-- 
Best Regards,

Yogesh Purohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181029/e76f46e7/attachment-0001.html>

More information about the Users mailing list