Project

General

Profile

Issue #836

invalid HASH_V1 payload length, decryption failed?could not decrypt payloads,message parsing failed,ignore malformed INFORMATIONAL request

Added by admin xminds over 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
configuration
Affected version:
5.1.2
Resolution:
No feedback

Description

ipsec.conf
----------
config setup
        plutostart=yes
        nat_traversal=yes

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.0.0.2
        rightcert=clientCert.pem
        pfs=no
        dpdaction=clear
        auto=add

log
-------
  received packet: from 61.17.42.189[500] to 192.168.0.9[500] (668 bytes)
Jan 28 12:00:13 cloud charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Jan 28 12:00:13 cloud charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received XAuth vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received Cisco Unity vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received FRAGMENTATION vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] received DPD vendor ID
Jan 28 12:00:13 cloud charon: 09[IKE] 61.17.42.189 is initiating a Main Mode IKE_SA
Jan 28 12:00:13 cloud charon: 09[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 28 12:00:13 cloud charon: 09[NET] sending packet: from 192.168.0.9[500] to 61.17.42.189[500] (136 bytes)
Jan 28 12:00:14 cloud charon: 10[NET] received packet: from 61.17.42.189[500] to 192.168.0.9[500] (292 bytes)
Jan 28 12:00:14 cloud charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 28 12:00:14 cloud charon: 10[IKE] local host is behind NAT, sending keep alives
Jan 28 12:00:14 cloud charon: 10[IKE] remote host is behind NAT
Jan 28 12:00:14 cloud charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" 
Jan 28 12:00:14 cloud charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Jan 28 12:00:14 cloud charon: 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
Jan 28 12:00:14 cloud charon: 10[NET] sending packet: from 192.168.0.9[500] to 61.17.42.189[500] (443 bytes)
Jan 28 12:00:14 cloud charon: 11[NET] received packet: from 61.17.42.189[4500] to 192.168.0.9[4500] (1180 bytes)
Jan 28 12:00:14 cloud charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jan 28 12:00:14 cloud charon: 11[IKE] ignoring certificate request without data
Jan 28 12:00:14 cloud charon: 11[IKE] received end entity cert "C=CH, O=strongSwan, CN=client" 
Jan 28 12:00:14 cloud charon: 11[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.9...61.17.42.189[C=CH, O=strongSwan, CN=client]
Jan 28 12:00:14 cloud charon: 11[CFG] selected peer config "ios" 
Jan 28 12:00:14 cloud charon: 11[CFG]   using certificate "C=CH, O=strongSwan, CN=client" 
Jan 28 12:00:14 cloud charon: 11[CFG]   using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" 
Jan 28 12:00:14 cloud charon: 11[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client" 
Jan 28 12:00:14 cloud charon: 11[CFG] certificate status is not available
Jan 28 12:00:14 cloud charon: 11[CFG]   reached self-signed root ca with a path length of 0
Jan 28 12:00:14 cloud charon: 11[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful
Jan 28 12:00:14 cloud charon: 11[IKE] authentication of 'C=CH, O=strongSwan, CN=bsnl.xminds.in' (myself) successful
Jan 28 12:00:14 cloud charon: 11[IKE] sending end entity cert "C=CH, O=strongSwan, CN=bsnl.xminds.in" 
Jan 28 12:00:14 cloud charon: 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Jan 28 12:00:14 cloud charon: 11[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (1228 bytes)
Jan 28 12:00:14 cloud charon: 11[ENC] generating TRANSACTION request 1448838146 [ HASH CPRQ(X_USER X_PWD) ]
Jan 28 12:00:14 cloud charon: 11[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:00:14 cloud charon: 12[NET] received packet: from 61.17.42.189[4500] to 192.168.0.9[4500] (76 bytes)
Jan 28 12:00:14 cloud charon: 12[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 28 12:00:14 cloud charon: 12[ENC] could not decrypt payloads
Jan 28 12:00:14 cloud charon: 12[IKE] message parsing failed
Jan 28 12:00:14 cloud charon: 12[IKE] ignore malformed INFORMATIONAL request
Jan 28 12:00:14 cloud charon: 12[IKE] INFORMATIONAL_V1 request with message ID 1269831636 processing failed
Jan 28 12:00:18 cloud charon: 13[IKE] sending retransmit 1 of request message ID 1448838146, seq 1
Jan 28 12:00:18 cloud charon: 13[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:00:25 cloud charon: 14[IKE] sending retransmit 2 of request message ID 1448838146, seq 1
Jan 28 12:00:25 cloud charon: 14[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:00:38 cloud charon: 04[IKE] sending retransmit 3 of request message ID 1448838146, seq 1
Jan 28 12:00:38 cloud charon: 04[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:00:43 cloud charon: 05[JOB] deleting half open IKE_SA after timeout
Jan 28 12:01:19 cloud charon: 08[NET] received packet: from 61.17.42.189[500] to 192.168.0.9[500] (668 bytes)
Jan 28 12:01:19 cloud charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Jan 28 12:01:19 cloud charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received XAuth vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received Cisco Unity vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received FRAGMENTATION vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] received DPD vendor ID
Jan 28 12:01:19 cloud charon: 08[IKE] 61.17.42.189 is initiating a Main Mode IKE_SA
Jan 28 12:01:19 cloud charon: 08[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 28 12:01:19 cloud charon: 08[NET] sending packet: from 192.168.0.9[500] to 61.17.42.189[500] (136 bytes)
Jan 28 12:01:20 cloud charon: 09[NET] received packet: from 61.17.42.189[500] to 192.168.0.9[500] (292 bytes)
Jan 28 12:01:20 cloud charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 28 12:01:20 cloud charon: 09[IKE] local host is behind NAT, sending keep alives
Jan 28 12:01:20 cloud charon: 09[IKE] remote host is behind NAT
Jan 28 12:01:20 cloud charon: 09[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" 
Jan 28 12:01:20 cloud charon: 09[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Jan 28 12:01:20 cloud charon: 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
Jan 28 12:01:20 cloud charon: 09[NET] sending packet: from 192.168.0.9[500] to 61.17.42.189[500] (443 bytes)
Jan 28 12:01:20 cloud charon: 10[NET] received packet: from 61.17.42.189[4500] to 192.168.0.9[4500] (1180 bytes)
Jan 28 12:01:20 cloud charon: 10[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Jan 28 12:01:20 cloud charon: 10[IKE] ignoring certificate request without data
Jan 28 12:01:20 cloud charon: 10[IKE] received end entity cert "C=CH, O=strongSwan, CN=client" 
Jan 28 12:01:20 cloud charon: 10[CFG] looking for XAuthInitRSA peer configs matching 192.168.0.9...61.17.42.189[C=CH, O=strongSwan, CN=client]
Jan 28 12:01:20 cloud charon: 10[CFG] selected peer config "ios" 
Jan 28 12:01:20 cloud charon: 10[CFG]   using certificate "C=CH, O=strongSwan, CN=client" 
Jan 28 12:01:20 cloud charon: 10[CFG]   using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" 
Jan 28 12:01:20 cloud charon: 10[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client" 
Jan 28 12:01:20 cloud charon: 10[CFG] certificate status is not available
Jan 28 12:01:20 cloud charon: 10[CFG]   reached self-signed root ca with a path length of 0
Jan 28 12:01:20 cloud charon: 10[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful
Jan 28 12:01:20 cloud charon: 10[IKE] authentication of 'C=CH, O=strongSwan, CN=bsnl.xminds.in' (myself) successful
Jan 28 12:01:20 cloud charon: 10[IKE] sending end entity cert "C=CH, O=strongSwan, CN=bsnl.xminds.in" 
Jan 28 12:01:20 cloud charon: 10[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Jan 28 12:01:20 cloud charon: 10[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (1228 bytes)
Jan 28 12:01:20 cloud charon: 10[ENC] generating TRANSACTION request 1842749079 [ HASH CPRQ(X_USER X_PWD) ]
Jan 28 12:01:20 cloud charon: 10[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:01:21 cloud charon: 11[NET] received packet: from 61.17.42.189[4500] to 192.168.0.9[4500] (76 bytes)
Jan 28 12:01:21 cloud charon: 11[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 28 12:01:21 cloud charon: 11[ENC] could not decrypt payloads
Jan 28 12:01:21 cloud charon: 11[IKE] message parsing failed
Jan 28 12:01:21 cloud charon: 11[IKE] ignore malformed INFORMATIONAL request
Jan 28 12:01:21 cloud charon: 11[IKE] INFORMATIONAL_V1 request with message ID 1855757066 processing failed
Jan 28 12:01:24 cloud charon: 12[IKE] sending retransmit 1 of request message ID 1842749079, seq 1
Jan 28 12:01:24 cloud charon: 12[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)
Jan 28 12:01:31 cloud charon: 13[IKE] sending retransmit 2 of request message ID 1842749079, seq 1
Jan 28 12:01:31 cloud charon: 13[NET] sending packet: from 192.168.0.9[4500] to 61.17.42.189[4500] (76 bytes)

Please help meeee....

Related issues

Related to Issue #570: Android native VPN client to Strongswan problemClosed14.04.2014

History

#1 Updated by Tobias Brunner over 10 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Assignee deleted (Andreas Steffen)
  • Priority changed from Urgent to Normal

For some reason the client sends an invalid (maybe unencrypted) INFORMATIONAL request after the server requests XAuth authentication. Maybe to delete the SA. Which in turn might be because the client is not configured correctly. What clients are you using? Are they configured for XAuth authentication?

#2 Updated by Tobias Brunner over 10 years ago

  • Related to Issue #570: Android native VPN client to Strongswan problem added

#3 Updated by Tobias Brunner about 10 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback