Project

General

Profile

Issue #3638

IKEv2 received INVALID_SYNTAX notify error on initiation with Palo Alto, Azure,..

Added by Andre Valentin 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
interoperability
Affected version:
5.9.1
Resolution:
No change required

Description

Hi!

We are using Strongswan 5.9.1 to establish multiple tunnels. I've changed the default to IKEv2 for new tunnels, but I constantly get SYNTAX_ERROR when setting these up.
This happend at least with: Palo Alto v9, Azure, Checkpoint

If Strongswan acts as a responder, all works fine.

Strongswan Config:

palo {
    local_addrs  = XX.14.XX.98
    remote_addrs = XX.14.XX.88

    unique = replace
    send_certreq = false
    mediation = no

    local {
     auth = psk
     id = XX.14.XX.98
    }
    remote {
     auth = psk
     id = XX.14.XX.88
    }
    children {
     palo_sa1 {
        local_ts  = 0.0.0.0/0 
        remote_ts = 0.0.0.0/0

        start_action = trap 
        life_time = 27000s
        rekey_time = 26500s
        esp_proposals = aes256gcm16-modp2048
        dpd_action = trap
     }

        }
    keyingtries = 0
    dpd_delay = 30
    version = 2
    mobike = no
    rekey_time = 23h
    over_time = 1h
    encap = no
    proposals = aes256-sha256-modp2048
}

If I initiate I get this:

[IKE] initiating IKE_SA palo[6] to XX.14.XX.88
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from XX.14.XX.98[500] to XX.14.XX.88[500] (464 bytes)
[NET] received packet: from XX.14.XX.88[500] to XX.14.XX.98[500] (376 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] authentication of 'XX.14.XX.98' (myself) with pre-shared key
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from XX.14.XX.98[500] to XX.14.XX.88[500] (160 bytes)
[NET] received packet: from XX.14.XX.88[500] to XX.14.XX.98[500] (80 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
[IKE] received INVALID_SYNTAX notify error
initiate failed: establishing IKE_SA 'palo' failed

The responder logs this:

2020-11-24 15:15:38.645 +0100  [PNTF]: {    6:     }: ====> IKEv2 IKE SA NEGOTIATION STARTED AS RESPONDER, non-rekey; gateway Strongswan <====
                                                      ====> Initiated SA: XX.14.XX.88[500]-XX.14.XX.98[500] SPI:141a07d3c6d5e968:8a4c18076c5332e8 SN:16897 <====
2020-11-24 15:15:38.645 +0100  [PWRN]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0x10343b30 ignoring unauthenticated notify payload (NAT_DETECTION_SOURCE_IP)
2020-11-24 15:15:38.645 +0100  [PWRN]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0x10343b30 ignoring unauthenticated notify payload (NAT_DETECTION_DESTINATION_IP)
2020-11-24 15:15:38.645 +0100  [PWRN]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0x10343b30 ignoring unauthenticated notify payload (16430)
2020-11-24 15:15:38.645 +0100  [PWRN]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0x10343b30 ignoring unauthenticated notify payload (16431)
2020-11-24 15:15:38.645 +0100  [PWRN]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0x10343b30 ignoring unauthenticated notify payload (16406)
2020-11-24 15:15:38.663 +0100  [INFO]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0xffdf4a7de0 authentication result: success
2020-11-24 15:15:38.663 +0100  [PWRN]: {    6:     }: 16384 is not a child notify type
2020-11-24 15:15:38.663 +0100  [INFO]: {    6:     }: received Notify payload protocol 0 type INITIAL_CONTACT
2020-11-24 15:15:38.663 +0100  [PWRN]: {    6:     }: 16417 is not a child notify type
2020-11-24 15:15:38.663 +0100  [INFO]: {    6:     }: received Notify payload protocol 0 type EAP_ONLY_AUTHENTICATION
2020-11-24 15:15:38.663 +0100  [PWRN]: {    6:     }: 16420 is not a child notify type
2020-11-24 15:15:38.663 +0100  [INFO]: {    6:     }: received Notify payload protocol 0 type 16420
2020-11-24 15:15:38.663 +0100  [PERR]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:0xffdf4a7de0 unexpected message format
2020-11-24 15:15:38.663 +0100  [INFO]: {    6:     }: XX.14.XX.88[500] - XX.14.XX.98[500]:(nil) closing IKEv2 SA Strongswan:16897, code 15
2020-11-24 15:15:38.663 +0100  [PNTF]: {    6:     }: ====> IKEv2 IKE SA NEGOTIATION FAILED AS RESPONDER, non-rekey; gateway Strongswan <====

I cannot get logs from azure, but I think it will be the same problem. I disabled all plugins, made no difference.
Lifetime, ciphers and dhgroup have been changed to verify it is independent from this.

Do you have a hint where to start or can ou help me?

Kind regards

History

#1 Updated by Tobias Brunner 5 months ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal

It seems you are initiating only an IKE_SA, not a CHILD_SA (the IKE_AUTH request is missing SA and TS payloads etc.). Childless initiation is usually only done if the peer actually supports it. How exactly are you initiating this connection? Did you patch any code?

#2 Updated by Andre Valentin 5 months ago

Hello Tobias,

thank you very much. I just initiated the IKE phase, not the child. It all works as expected.

Sorry for the noise!

Please close.

#3 Updated by Tobias Brunner 5 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF