[strongSwan] (no subject)

Discussion:

Yogesh Purohit

2018-10-29 05:42:34 UTC

Hi Team,

I am trying to establish tunnel with my strongswan.
But after receiving IKE_AUTH response my local strongswan end (initiator)
rejects tunnel saying ' length of TRAFFIC_SELECTOR_SUBSTRUCTURE
substructure list invalid'.

And I am unable to get the reason for the same. Because I have configured
traffic selectors matching.

IKE_Auth response which is recived is of 252 bytes, whereas when my tunnel
was established in other case IKE_AUTH response was of 204 bytes.
NOTE: I am trying the tunnel with PSK and version is IKEv2.

So is there fixed bytes of IKE_AUTH response which is expected by
strongswan for PSK.

And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list
invalid' means, I tried finding it in RFC, but could not find the same.

Thanks & Regards,

Yogesh Purohit

Yogesh Purohit

2018-10-29 05:43:26 UTC

Permalink

Adding subject line to my query

Post by Yogesh Purohit
Hi Team,
I am trying to establish tunnel with my strongswan.
But after receiving IKE_AUTH response my local strongswan end (initiator)
rejects tunnel saying ' length of TRAFFIC_SELECTOR_SUBSTRUCTURE
substructure list invalid'.
And I am unable to get the reason for the same. Because I have configured
traffic selectors matching.
IKE_Auth response which is recived is of 252 bytes, whereas when my tunnel
was established in other case IKE_AUTH response was of 204 bytes.
NOTE: I am trying the tunnel with PSK and version is IKEv2.
So is there fixed bytes of IKE_AUTH response which is expected by
strongswan for PSK.
And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list
invalid' means, I tried finding it in RFC, but could not find the same.
Thanks & Regards,
Yogesh Purohit

--
Best Regards,

Yogesh Purohit

Andreas Steffen

2018-10-29 08:09:40 UTC

Permalink

Hi Yogesh,

are you using an unmodified strongSwan peer on the other side or
a third party VPN product? If it is strongSwan, which version are
you using? Could you also send the configuration of the CHILD SA?

Regards

Andreas

Post by Yogesh Purohit
Adding subject line to my query
On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit
Hi Team,
I am trying to establish tunnel with my strongswan.
But after receiving IKE_AUTH response my local strongswan end
(initiator) rejects tunnel saying ' length of
TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid'.
And I am unable to get the reason for the same. Because I have
configured traffic selectors matching.
IKE_Auth response which is recived is of 252 bytes, whereas when my
tunnel was established in other case IKE_AUTH response was of 204 bytes.
NOTE: I am trying the tunnel with PSK and version is IKEv2.
So is there fixed bytes of IKE_AUTH response which is expected by
strongswan for PSK.
And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure
list invalid' means, I tried finding it in RFC, but could not find
the same.
Thanks & Regards,
Yogesh Purohit
--
Best Regards,
Yogesh Purohit

--
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

Yogesh Purohit

2018-10-29 09:25:10 UTC

Permalink

Hi Andreas,

No it is not strongswan on peer end. I am using third party VPN.

So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
anything exceeding that can be Invalid length.

Configuration on my side is:

conn %default
ikelifetime = 28800s
type = tunnel
lifetime = 3600s
dpddelay = 30
dpdaction = restart
reauth = no
mobike = no #disable mobike - no use case
conn 10.109.229.250_1.1.2.0/24-10.109.229.252_2.1.1.0/24
left=10.109.229.250
leftid=10.109.229.250
rightid=10.109.229.252
leftsubnet=1.1.2.0/24
right=10.109.229.252
rightsubnet=2.1.1.0/24
authby=secret
keyexchange = ikev2
auto = add
fragmentation = yes
esp=aes256-sha1-modp2048
ike=aes256-sha1-modp2048!

Thanks & Regards,
Yogesh

On Mon, Oct 29, 2018 at 1:39 PM Andreas Steffen <

Post by Andreas Steffen
Hi Yogesh,
are you using an unmodified strongSwan peer on the other side or
a third party VPN product? If it is strongSwan, which version are
you using? Could you also send the configuration of the CHILD SA?
Regards
Andreas

bytes.

Post by Yogesh Purohit
NOTE: I am trying the tunnel with PSK and version is IKEv2.
So is there fixed bytes of IKE_AUTH response which is expected by
strongswan for PSK.
And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure
list invalid' means, I tried finding it in RFC, but could not find
the same.
Thanks & Regards,
Yogesh Purohit
--
Best Regards,
Yogesh Purohit

--
======================================================================
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

--
Best Regards,

Yogesh Purohit

Tobias Brunner

2018-10-29 11:00:19 UTC

Permalink

Hi Yogesh,

Post by Yogesh Purohit
No it is not strongswan on peer end. I am using third party VPN.

Which probably means the peer sends an invalid TS payload.

Post by Yogesh Purohit
So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and
anything exceeding that can be Invalid length.

There are no fixed sizes for any messages or modes. You have to look
closely at the structure of the receive message and the contained
payloads (either increase the log level for enc to 3 or export the IKE
keys and use Wireshark to analyze the IKE_AUTH message).

Regards,
Tobias

Continue reading on narkive:

Search results for '[strongSwan] (no subject)' (Questions and Answers)

replies

How do you determine subject and predicate in questions?

started 2009-10-08 16:54:11 UTC

mathematics

replies

Help me identify the German verb, subject and object?

started 2011-03-07 13:41:55 UTC

languages

replies

what is the subject in the sentence?