Re: [strongSwan] IKE_SA_INIT response with notification data missing
> Is there any reason why UDP checksum in the packet shows as wrong in the > wireshark? Possibly hardware checksum offloading [1]. Regards, Tobias [1] https://wiki.wireshark.org/CaptureSetup/Offloading
Re: [strongSwan] IKE_SA_INIT response with notification data missing
Thanks Andreas, will take a look at it. Is there any reason why UDP checksum in the packet shows as wrong in the wireshark? -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Monday, April 16, 2018 5:04 AM To: Balaji Thoguluva Bapulal <balaji.thoguluva.bapu...@oracle.com>; users@lists.strongswan.org Subject: Re: [strongSwan] IKE_SA_INIT response with notification data missing Hi Balaji, RFC 4739 "Multiple Authenticaton Exchanges in IKEv2" https://tools.ietf.org/html/rfc4739#section-3.1 defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as 3.1. MULTIPLE_AUTH_SUPPORTED Notify Payload The MULTIPLE_AUTH_SUPPORTED notification is included in the IKE_SA_INIT response or the first IKE_AUTH request to indicate that the peer supports this specification. The Notify Message Type is MULTIPLE_AUTH_SUPPORTED (16404). The Protocol ID and SPI Size fields MUST be set to zero, and there is no data associated with this Notify type. So I don't understand why you expect notification data? Regards Andreas On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote: > Dear users, > > I am trying to establish a IKEv2/IPsec tunnel from a security gateway > towards strongswan with strongswan acting as a responder. In response > to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT > response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with > notification data missing. I have attached the wireshark. It would be > great if someone can explain why this behavior. > > [IKEv2]$ ipsec --version > > Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64 > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil, Switzerland > > See 'ipsec --copyright' for copyright information. > > The following is the configuration. > > config setup > > charondebug=all > > conn %default > > keyingtries=1 > > keyexchange=ikev2 > > reauth=no > > conn psk > > left=172.16.55.62 > > leftsourceip=%config% > > leftfirewall=no > > leftauth=psk > > leftsubnet=172.16.0.0/16 > > right=172.16.135.192 > > rightid=172.16.135.192 > > rightsubnet=172.16.0.0/16 > > rightauth=psk > > esp=3des-aes-sha1-md5-modp1024 > > ike=3des-sha1-md5-modp1024 > > auto=add > > type=tunnel > > Thanks, > > Balaji > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]==
Re: [strongSwan] IKE_SA_INIT response with notification data missing
Hi Balaji, RFC 4739 "Multiple Authenticaton Exchanges in IKEv2" https://tools.ietf.org/html/rfc4739#section-3.1 defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as 3.1. MULTIPLE_AUTH_SUPPORTED Notify Payload The MULTIPLE_AUTH_SUPPORTED notification is included in the IKE_SA_INIT response or the first IKE_AUTH request to indicate that the peer supports this specification. The Notify Message Type is MULTIPLE_AUTH_SUPPORTED (16404). The Protocol ID and SPI Size fields MUST be set to zero, and there is no data associated with this Notify type. So I don't understand why you expect notification data? Regards Andreas On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote: Dear users, I am trying to establish a IKEv2/IPsec tunnel from a security gateway towards strongswan with strongswan acting as a responder. In response to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with notification data missing. I have attached the wireshark. It would be great if someone can explain why this behavior. [IKEv2]$ ipsec --version Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. The following is the configuration. config setup charondebug=all conn %default keyingtries=1 keyexchange=ikev2 reauth=no conn psk left=172.16.55.62 leftsourceip=%config% leftfirewall=no leftauth=psk leftsubnet=172.16.0.0/16 right=172.16.135.192 rightid=172.16.135.192 rightsubnet=172.16.0.0/16 rightauth=psk esp=3des-aes-sha1-md5-modp1024 ike=3des-sha1-md5-modp1024 auto=add type=tunnel Thanks, Balaji -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
Re: [strongSwan] IKE_SA_INIT response with notification data missing
Also the UDP checksum in the IKE_SA_INIT response shows incorrect in wireshark. From: Balaji Thoguluva Bapulal Sent: Saturday, April 14, 2018 10:42 PM To: users@lists.strongswan.org Subject: IKE_SA_INIT response with notification data missing Dear users, I am trying to establish a IKEv2/IPsec tunnel from a security gateway towards strongswan with strongswan acting as a responder. In response to IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT response with a Notify payload of MULTIPLE_AUTH_SUPPORTED with notification data missing. I have attached the wireshark. It would be great if someone can explain why this behavior. [IKEv2]$ ipsec --version Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. The following is the configuration. config setup charondebug=all conn %default keyingtries=1 keyexchange=ikev2 reauth=no conn psk left=172.16.55.62 leftsourceip=%config% leftfirewall=no leftauth=psk leftsubnet=172.16.0.0/16 right=172.16.135.192 rightid=172.16.135.192 rightsubnet=172.16.0.0/16 rightauth=psk esp=3des-aes-sha1-md5-modp1024 ike=3des-sha1-md5-modp1024 auto=add type=tunnel Thanks, Balaji