Hi Nitin, what VPN product is running on the server, since 1) it produces notifications in an invalid format and 2) it probably speaks IKEv1 only, because it replies with INVALID_MAJOR_VERSION to an IKEv2 request?
Best regards Andreas On 28.07.2015 10:40, Nitin Agarwal wrote:
Hi Noel I have done the changes, But still the tunnels are down for upto 10 minutes, sometime. This is what I got from Syslog, and these errors are different at different times :- 1) Jul 28 09:28:36 alix6f2-619703 charon: 12[IKE] initiating IKE_SA 52.64.105.113_cnc[2] to 52.74.240.246 Jul 28 09:28:36 alix6f2-619703 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 28 09:28:36 alix6f2-619703 charon: 12[NET] sending packet: from 100.116.187.100[500] to 52.74.240.246[500] Jul 28 09:28:37 alix6f2-619703 charon: 16[NET] received packet: from 52.74.240.246[500] to 100.116.187.100[500] Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] invalid notify data length for INVALID_MAJOR_VERSION (20) Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] *NOTIFY payload verification failed * Jul 28 09:28:37 alix6f2-619703 charon: 16[IKE] IKE_SA_INIT response with message ID 0 processing failed Jul 28 09:28:40 alix6f2-619703 charon: 13[IKE] retransmit 1 of request with message ID 0 2) Jul 28 09:29:40 alix6f2-619703 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 28 09:29:40 alix6f2-619703 charon: 13[NET] sending packet: from 100.116.187.100[500] to 52.74.240.246[500] Jul 28 09:29:41 alix6f2-619703 charon: 16[NET] received packet: from 52.74.240.246[500] to 100.116.187.100[500] Jul 28 09:29:41 alix6f2-619703 charon: 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ] Jul 28 09:29:41 alix6f2-619703 charon: 16[IKE]*received INVALID_SYNTAX notify error * can anybody please suggest why this is happening ? *Best Regards* *Nitin Agarwal* On Wed, Jul 22, 2015 at 3:59 PM, Noel Kuntze <[email protected] <mailto:[email protected]>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Nitin, You're using IKEv2, which uses a global timeout setting in strongswan.conf, not dpdtimeout. - From the man page for ipsec.conf: dpdtimeout = 150s | <time> defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers. Look at the "IKEv2 RETRANSMISSION" section of the man page for strongswan.conf. Alternatively, use IKEv1. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 22.07.2015 um 07:26 schrieb Nitin Agarwal: > Hello Guys > > I am trying to achieve stable tunnel connectivity between two systems. > My System 1 is a modem having ppp connection.And, System 2 is a server. > > On System 1, IP use to change and whenever IP changes, sometime system takes upto 20 minutes to form stable tunnel. Sometime is just 50 seconds also. PPP connection takes around 25 seconds to release old IP and acquire new one. > > I am attaching the existing configuration. > Please suggest, if I need to modify the configurations or I am missing something. > > > > > *Best Regards* > *Nitin Agarwal* > > > > > > > > > This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify Symstream Technology Group immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. > ------------------------- > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVr3CcAAoJEDg5KY9j7GZYMJ0P/RJRVW32kd9fkJfJhof4WB6q bdmddVmBtM7f+ftXkde1NyDrkiMyig4Ye4/xYJMvSmqItwR+f64r+jh3JH+Z4Jbv vkIbbfikTPt0KPKhqPAJUuEjDZFvKiVJf4dkMHbx9+kPDr3WtvJGHlJyN3OyVcli gfIIjSt8T6PrDVin5l4REZ5mG5uATiZpcMyFakLamRExzY5iXXhz+Ai++hY3fuRG TedEo2XyfqaXqxN5GP/EVvPMZ3VHa7eJu5R4xvZ8lrTY46Iu7/TerUXUYDpcspbx hGmSJVi/704DgOy6XxG/TkLyapd/ojXlPk/zU7Z1DRzpBz29nb3QCykbtNmyXUwt G+uqDOQsQeYztjr98sWVUMROLcOH4UoF3RhWkX0WdbqeTXfRpWGOoKvgtvnWVkXq 24ODFzV53XEiOp5urtbevevJfIp+8pfXE/IL6sq08w0Zcucjix/h+1DfwnBlD7MO Y4ZEttzztCxDwr3qmUBi2ULrSqz77KK8pQgacWHE1sr8wTKA9X45akTZgL6/ojZq QjTwcbH9W7gHI3XHCWJleo6YrUc1OgIOhmtFefZGJoFaQR8m7Y3bYv2v69y2WDbI EOi2f2pOfytCvhf22PfhAbeHK3AWub2hRTqvrR45qIbpb91GFqU6Y/aYg9hJlhUE 2HE/OCNfW/CiQx6Ckd2+ =/9V8 -----END PGP SIGNATURE----- This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify Symstream Technology Group immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. ------------------------------------------------------------------------ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
