Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid
Hi Yogesh, > No it is not strongswan on peer end. I am using third party VPN. Which probably means the peer sends an invalid TS payload. > So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and > anything exceeding that can be Invalid length. There are no fixed sizes for any messages or modes. You have to look closely at the structure of the receive message and the contained payloads (either increase the log level for enc to 3 or export the IKE keys and use Wireshark to analyze the IKE_AUTH message). Regards, Tobias
Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid
Hi Andreas, No it is not strongswan on peer end. I am using third party VPN. So is the IKE_AUTH packet size is fixed to 204 bytes for PSK mode and anything exceeding that can be Invalid length. Configuration on my side is: conn %default ikelifetime = 28800s type = tunnel lifetime = 3600s dpddelay = 30 dpdaction = restart reauth = no mobike = no #disable mobike - no use case conn 10.109.229.250_1.1.2.0/24-10.109.229.252_2.1.1.0/24 left=10.109.229.250 leftid=10.109.229.250 rightid=10.109.229.252 leftsubnet=1.1.2.0/24 right=10.109.229.252 rightsubnet=2.1.1.0/24 authby=secret keyexchange = ikev2 auto = add fragmentation = yes esp=aes256-sha1-modp2048 ike=aes256-sha1-modp2048! Thanks & Regards, Yogesh On Mon, Oct 29, 2018 at 1:39 PM Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Yogesh, > > are you using an unmodified strongSwan peer on the other side or > a third party VPN product? If it is strongSwan, which version are > you using? Could you also send the configuration of the CHILD SA? > > Regards > > Andreas > > On 29.10.2018 06:43, Yogesh Purohit wrote: > > Adding subject line to my query > > > > On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit > > mailto:yogeshpuroh...@gmail.com>> wrote: > > > > Hi Team, > > > > I am trying to establish tunnel with my strongswan. > > But after receiving IKE_AUTH response my local strongswan end > > (initiator) rejects tunnel saying ' length of > > TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid'. > > > > And I am unable to get the reason for the same. Because I have > > configured traffic selectors matching. > > > > IKE_Auth response which is recived is of 252 bytes, whereas when my > > tunnel was established in other case IKE_AUTH response was of 204 > bytes. > > NOTE: I am trying the tunnel with PSK and version is IKEv2. > > > > So is there fixed bytes of IKE_AUTH response which is expected by > > strongswan for PSK. > > > > And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure > > list invalid' means, I tried finding it in RFC, but could not find > > the same. > > > > > > Thanks & Regards, > > > > Yogesh Purohit > > > > > > > > -- > > Best Regards, > > > > Yogesh Purohit > > -- > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > HSR University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[INS-HSR]== > > -- Best Regards, Yogesh Purohit
Re: [strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid
Hi Yogesh, are you using an unmodified strongSwan peer on the other side or a third party VPN product? If it is strongSwan, which version are you using? Could you also send the configuration of the CHILD SA? Regards Andreas On 29.10.2018 06:43, Yogesh Purohit wrote: > Adding subject line to my query > > On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit > mailto:yogeshpuroh...@gmail.com>> wrote: > > Hi Team, > > I am trying to establish tunnel with my strongswan. > But after receiving IKE_AUTH response my local strongswan end > (initiator) rejects tunnel saying ' length of > TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid'. > > And I am unable to get the reason for the same. Because I have > configured traffic selectors matching. > > IKE_Auth response which is recived is of 252 bytes, whereas when my > tunnel was established in other case IKE_AUTH response was of 204 bytes. > NOTE: I am trying the tunnel with PSK and version is IKEv2. > > So is there fixed bytes of IKE_AUTH response which is expected by > strongswan for PSK. > > And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure > list invalid' means, I tried finding it in RFC, but could not find > the same. > > > Thanks & Regards, > > Yogesh Purohit > > > > -- > Best Regards, > > Yogesh Purohit -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
[strongSwan] length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list invalid
Adding subject line to my query On Mon, Oct 29, 2018 at 11:12 AM Yogesh Purohit wrote: > Hi Team, > > I am trying to establish tunnel with my strongswan. > But after receiving IKE_AUTH response my local strongswan end (initiator) > rejects tunnel saying ' length of TRAFFIC_SELECTOR_SUBSTRUCTURE > substructure list invalid'. > > And I am unable to get the reason for the same. Because I have configured > traffic selectors matching. > > IKE_Auth response which is recived is of 252 bytes, whereas when my tunnel > was established in other case IKE_AUTH response was of 204 bytes. > NOTE: I am trying the tunnel with PSK and version is IKEv2. > > So is there fixed bytes of IKE_AUTH response which is expected by > strongswan for PSK. > > And what does 'length of TRAFFIC_SELECTOR_SUBSTRUCTURE substructure list > invalid' means, I tried finding it in RFC, but could not find the same. > > > Thanks & Regards, > > Yogesh Purohit > -- Best Regards, Yogesh Purohit