[strongSwan] error handling

Modster, Anthony Anthony.Modster at Teledyne.com
Wed Jun 26 22:16:07 CEST 2019 

Hello Tobias

? will the below error cause the ErrorNotifyPlugin to generate an error

13[ENC] parsed IKE_AUTH response 8 [ EAP/REQ/TLS ]
13[IKE] reinitiating already active tasks
13[IKE]   IKE_AUTH task
13[ENC] generating IKE_AUTH request 9 [ EAP/RES/TLS ]
13[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (1104 bytes)
08[NET] received packet: from 76.232.248.219[4500] to 192.168.29.129[4500] (80 bytes)
08[ENC] parsed IKE_AUTH response 9 [ EAP/REQ/TLS ]
08[IKE] reinitiating already active tasks
08[IKE]   IKE_AUTH task
08[ENC] generating IKE_AUTH request 10 [ EAP/RES/TLS ]
08[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (528 bytes)
11[IKE] retransmit 1 of request with message ID 10
11[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (528 bytes)
12[NET] received packet: from 76.232.248.219[4500] to 192.168.29.129[4500] (96 bytes)
12[ENC] parsed IKE_AUTH response 10 [ EAP/REQ/TLS ]
12[TLS] received fatal TLS alert 'access denied'
12[IKE] EAP_TLS method failed
12[ENC] generating INFORMATIONAL request 11 [ N(AUTH_FAILED) ]
12[NET] sending packet: from 192.168.29.129[4500] to 76.232.248.219[4500] (80 bytes)
12[IKE] IKE_SA ELS-VPAPP-WGL08[1] state change: CONNECTING => DESTROYING


-----Original Message-----
From: Modster, Anthony 
Sent: Wednesday, June 26, 2019 9:19 AM
To: 'Tobias Brunner' <tobias at strongswan.org>; users at lists.strongswan.org
Cc: Mesfin Amare <Mesfin.Amare at Teledyne.com>
Subject: RE: [strongSwan] error handling

Thanks

Our systems group will be testing most (if not all the errors).

But it takes them a while to create all the test cases (we need to test CISCO and Windows gateways).

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
Sent: Wednesday, June 26, 2019 1:22 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] error handling

---External Email---

Hi Anthony,

> ? will our application be able to detect them using ether: VICI “event 
> callbacks” or “ErrorNotifyPlugin”

Why not just try it?

> Inacceptable Constraint check failed

You can't detect that specific error but ERROR_NOTIFY_PEER_AUTH_FAILED will be triggered.

> IKE AUTH response errors

This triggers ERROR_NOTIFY_LOCAL_AUTH_FAILED.

Regards,
Tobias

More information about the Users mailing list