Discussion:
[strongSwan] UNSUPPORTED_CRITICAL_PAYLOAD
Marco Berizzi
2018-06-12 16:22:01 UTC
Permalink
Hello everyone,

I'm getting a lot of this kind of UNSUPPORTED_CRITICAL_PAYLOAD
from many windows 10 laptops.
Anyone has an idea of what could the problem be?

generating QUICK_MODE request 3970887770 [ HASH SA No KE ID ID ]
sending packet: from 10.81.110.254[500] to 10.81.126.89[500] (396 bytes)
received packet: from 10.81.126.89[500] to 10.81.110.254[500] (76 bytes)
parsed INFORMATIONAL_V1 request 1775796517 [ HASH N(CRIT) ]
received UNSUPPORTED_CRITICAL_PAYLOAD error notify

Thanks
Tobias Brunner
2018-06-13 09:05:24 UTC
Permalink
Hi Marco,

> parsed INFORMATIONAL_V1 request 1775796517 [ HASH N(CRIT) ]
> received UNSUPPORTED_CRITICAL_PAYLOAD error notify

This is a bit misleading as UNSUPPORTED_CRITICAL_PAYLOAD is the IKEv2
meaning/name of notify type 1. It has a different meaning in IKEv1:
INVALID-PAYLOAD-TYPE. Why exactly you'd get this as response to a Quick
Mode request I don't know.

Maybe the peer wasn't able to decrypt the message properly, or it didn't
like one of the payloads (e.g. because it was configured not to use PFS
and didn't expect a KE payload). As strongSwan is the initiator of the
exchange and the peer is a Windows 10 host I'd guess that this is a
rekeying. So it could also be because it doesn't like being responder
of a rekeying (Windows has/had the same problem with IKEv2 CHILD_SA
rekeyings, see [1]).

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#Rekeying-behavior
Marco Berizzi
2018-06-13 15:04:16 UTC
Permalink
Hi Tobias,

> As strongSwan is the initiator of the exchange and the peer is a
> Windows 10 host I'd guess that this is a rekeying. So it could also
> be because it doesn't like being responder of a rekeying (Windows
> has/had the same problem with IKEv2 CHILD_SA rekeyings, see [1]).

You are right. My fault. The problem was the lifetime/ikelifetime:
I have decreased it on the strongSwan side and I forgot to update the
windows clients. So strongSwan become the initiator and the problem
has been popped up.

Sorry for the spam.
Loading...