[strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid

Tobias Brunner tobias at strongswan.org
Mon Oct 29 12:00:19 CET 2018

Hi Yogesh,

> No it is not strongswan on peer end. I am using third party VPN.

Which probably means the peer sends an invalid TS payload.

> So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
> anything exceeding that can be Invalid length.

There are no fixed sizes for any messages or modes.  You have to look
closely at the structure of the receive message and the contained
payloads (either increase the log level for enc to 3 or export the IKE
keys and use Wireshark to analyze the IKE_AUTH message).


More information about the Users mailing list