Actually IKE retransmissions are the only remedy against an unstable noisy channel. You cannot beat Claude Shannon ;-)
Regards Andreas On 30.07.2015 09:47, Nitin Agarwal wrote:
Hi Andreas So, what could be the possible solution ? This is basically using 3G network. Sometime I also see CCP [Compression Control Protocol] issue. For that I am making noccp in ppp connection. Other then that, anything which can be done ? *Best Regards* *Nitin Agarwal* *Team Leader R&D* *Symstream Technology Group* M +91 9818893018 [email protected] <mailto:[email protected]>_ | Skype: nitin_symstream On Thu, Jul 30, 2015 at 12:52 PM, Andreas Steffen <[email protected] <mailto:[email protected]>> wrote: Hi Nitin, for this time span I just see Jul 27 23:28:37 s5-gw-sing charon: 03[IKE] 27.97.11.233 is initiating an IKE_SA Jul 27 23:28:41 s5-gw-sing charon: 04[IKE] 27.97.11.233 is initiating an IKE_SA Jul 27 23:28:49 s5-gw-sing charon: 04[IKE] 27.97.11.233 is initiating an IKE_SA Jul 27 23:29:01 s5-gw-sing charon: 01[IKE] 27.97.11.233 is initiating an IKE_SA Jul 27 23:29:07 s5-gw-sing charon: 03[JOB] deleting half open IKE_SA after timeout I suspect that the IKE_SA_INIT response from the server gets somehow garbled by the transmission channel, so that the VPN client cannot parse the incoming IKE message correctly. This would explain why the errors differ from message to message. Best regards Andreas On 30.07.2015 08:35, Nitin Agarwal wrote: Hi I am attaching server [AWS] side logs [messages] . Server is 10 hours behind from modem. And, server is connected to many modems, this particular modem is 619703 [10.4.39.36]. *Best Regards* *Nitin Agarwal* [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>_ | Skype: nitin_symstream On Tue, Jul 28, 2015 at 8:42 PM, Andreas Steffen <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: So can you show me the corresponding strongSwan server log? Andreas On 07/28/2015 02:33 PM, Nitin Agarwal wrote: > Hi Andreas > > On server side, I am using :- > Linux strongSwan U4.6.2/ > > And, on modem side :- > Linux[Debian, Voyage] strongSwan U4.4.1 > > > *Best Regards* > *Nitin Agarwal* > *Team Leader R&D* > *Symstream Technology Group* > M +91 9818893018 > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>_ | > Skype: nitin_symstream > > > > > > > > On Tue, Jul 28, 2015 at 3:22 PM, Andreas Steffen > <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>> > wrote: > > Hi Nitin, > > what VPN product is running on the server, since 1) it produces > notifications in an invalid format and 2) it probably speaks > IKEv1 only, because it replies with INVALID_MAJOR_VERSION to > an IKEv2 request? > > Best regards > > Andreas > > On 28.07.2015 10:40, Nitin Agarwal wrote: > > Hi Noel > > I have done the changes, But still the tunnels are down for upto 10 > minutes, sometime. > This is what I got from Syslog, and these errors are different at > different times :- > > 1) > Jul 28 09:28:36 alix6f2-619703 charon: 12[IKE] initiating IKE_SA > 52.64.105.113_cnc[2] to 52.74.240.246 > Jul 28 09:28:36 alix6f2-619703 charon: 12[ENC] generating > IKE_SA_INIT > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Jul 28 09:28:36 alix6f2-619703 charon: 12[NET] sending packet: from > 100.116.187.100[500] to 52.74.240.246[500] > Jul 28 09:28:37 alix6f2-619703 charon: 16[NET] received packet: from > 52.74.240.246[500] to 100.116.187.100[500] > Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] invalid notify data > length for INVALID_MAJOR_VERSION (20) > Jul 28 09:28:37 alix6f2-619703 charon: 16[ENC] *NOTIFY payload > verification failed * > Jul 28 09:28:37 alix6f2-619703 charon: 16[IKE] IKE_SA_INIT > response with > message ID 0 processing failed > Jul 28 09:28:40 alix6f2-619703 charon: 13[IKE] retransmit 1 of > request > with message ID 0 > > > 2) Jul 28 09:29:40 alix6f2-619703 charon: 13[ENC] generating > IKE_SA_INIT > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > Jul 28 09:29:40 alix6f2-619703 charon: 13[NET] sending packet: from > 100.116.187.100[500] to 52.74.240.246[500] > Jul 28 09:29:41 alix6f2-619703 charon: 16[NET] received packet: from > 52.74.240.246[500] to 100.116.187.100[500] > Jul 28 09:29:41 alix6f2-619703 charon: 16[ENC] parsed IKE_SA_INIT > response 0 [ N(INVAL_SYN) ] > Jul 28 09:29:41 alix6f2-619703 charon: 16[IKE]*received > INVALID_SYNTAX > notify error * > > > can anybody please suggest why this is happening ? > > > > > *Best Regards* > *Nitin Agarwal* > > > > > > > On Wed, Jul 22, 2015 at 3:59 PM, Noel Kuntze > <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> > <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>>> > wrote: > > > Hello Nitin, > > You're using IKEv2, which uses a global timeout setting in > strongswan.conf, > not dpdtimeout. > - From the man page for ipsec.conf: > dpdtimeout = 150s | <time> > defines the timeout interval, after which all > connections to a peer are deleted in case of inactivity. >> This only > applies to IKEv1, in IKEv2 the default retransmission > timeout applies, as every exchange is used to >> detect > dead peers. > > Look at the "IKEv2 RETRANSMISSION" section of the man page for > strongswan.conf. > > Alternatively, use IKEv1. > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 22.07.2015 um 07:26 schrieb Nitin Agarwal: >> Hello Guys > >> I am trying to achieve stable tunnel connectivity between >> two systems. >> My System 1 is a modem having ppp connection.And, System 2 >> is a server. > >> On System 1, IP use to change and whenever IP changes, >> sometime system takes upto 20 minutes to form stable tunnel. >> Sometime is just 50 seconds also. PPP connection takes around 25 >> seconds to release old IP and acquire new one. > >> I am attaching the existing configuration. >> Please suggest, if I need to modify the configurations or >> I am missing something. > > > > > > *Best Regards* > > *Nitin Agarwal* > > > > > > > > > > This message (and any associated files) is intended only >> for the > use of the individual or entity to which it is addressed and may > contain information that is confidential, subject to >> copyright or > constitutes a trade secret. If you are not the intended >> recipient > you are hereby notified that any dissemination, copying or > distribution of this message, or files associated with this >> message, > is strictly prohibited. If you have received this message in >> error, > please notify Symstream Technology Group immediately by >> replying to > the message and deleting it from your computer. Messages >> sent to and > from us may be monitored. Internet communications cannot be > guaranteed to be secure or error-free as information could be > intercepted, corrupted, lost, destroyed, arrive late or >> incomplete, > or contain viruses. Therefore, we do not accept >> responsibility for > any errors or omissions that are present in this message, or any > attachment, that have arisen as a result of e-mail >> transmission. If > verification is required, please request a hard-copy >> version. Any > views or opinions presented are solely those of the author >> and do > not necessarily represent those of the company. > > ------------------------- > > > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>>> > > https://lists.strongswan.org/mailman/listinfo/users > > > > > > This message (and any associated files) is intended only for the > use of > the individual or entity to which it is addressed and may contain > information that is confidential, subject to copyright or > constitutes a > trade secret. If you are not the intended recipient you are hereby > notified that any dissemination, copying or distribution of this > message, or files associated with this message, is strictly > prohibited. > If you have received this message in error, please notify Symstream > Technology Group immediately by replying to the message and > deleting it > from your computer. Messages sent to and from us may be monitored. > Internet communications cannot be guaranteed to be secure or > error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive > late or incomplete, or contain viruses. Therefore, we do not accept > responsibility for any errors or omissions that are present in this > message, or any attachment, that have arisen as a result of e-mail > transmission. If verification is required, please request a > hard-copy > version. Any views or opinions presented are solely those of the > author > and do not necessarily represent those of the company. > ------------------------------------------------------------------------ > > > _______________________________________________ > Users mailing list > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> >https://lists.strongswan.org/mailman/listinfo/users > > > -- > ====================================================================== > Andreas Steffen > [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> <mailto:[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> > strongSwan - the Open Source VPN Solution! > www.strongswan.org <http://www.strongswan.org> <http://www.strongswan.org> <http://www.strongswan.org> > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > > > This message (and any associated files) is intended only for the use of > the individual or entity to which it is addressed and may contain > information that is confidential, subject to copyright or constitutes a > trade secret. If you are not the intended recipient you are hereby > notified that any dissemination, copying or distribution of this > message, or files associated with this message, is strictly prohibited. > If you have received this message in error, please notify Symstream > Technology Group immediately by replying to the message and deleting it > from your computer. Messages sent to and from us may be monitored. > Internet communications cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, arrive > late or incomplete, or contain viruses. Therefore, we do not accept > responsibility for any errors or omissions that are present in this > message, or any attachment, that have arisen as a result of e-mail > transmission. If verification is required, please request a hard-copy > version. Any views or opinions presented are solely those of the author > and do not necessarily represent those of the company. > ------------------------------------------------------------------------ -- ====================================================================== Andreas Steffen [email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>> strongSwan - the Open Source VPN Solution! www.strongswan.org <http://www.strongswan.org> <http://www.strongswan.org> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify Symstream Technology Group immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. ------------------------------------------------------------------------ -- ====================================================================== Andreas Steffen [email protected] <mailto:[email protected]> strongSwan - the Open Source VPN Solution! www.strongswan.org <http://www.strongswan.org> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify Symstream Technology Group immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. ------------------------------------------------------------------------
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
