[strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed
I've a tunnel between a Fortigate 50E and a StrongSwan 5.8.2 server. The tunnel is normally up and running but every x minutes the connection is dropped for one minute, and then comes up again. I checked the FAQs about that error, so I tried explicitly setting PSK for the IP address (I had %any before), it seems to last longer but the drop is still happening regularly. Why rekeying doesn't work if connection does? thanks Aug 4 08:04:32 vpn01 charon: 06[ENC] generating QUICK_MODE request 1670801381 [ HASH SA No KE ID ID ] Aug 4 08:04:32 vpn01 charon: 06[NET] sending packet: from strongswan_ip[4500] to forti_ip[4500] (588 bytes) Aug 4 08:04:32 vpn01 charon: 07[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (92 bytes) Aug 4 08:04:32 vpn01 charon: 07[ENC] parsed INFORMATIONAL_V1 request 2622873796 [ HASH D ] Aug 4 08:04:32 vpn01 charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI 168c51e3 Aug 4 08:04:32 vpn01 charon: 07[IKE] CHILD_SA not found, ignored Aug 4 08:04:32 vpn01 charon: 08[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (92 bytes) Aug 4 08:04:32 vpn01 charon: 08[ENC] parsed INFORMATIONAL_V1 request 474486553 [ HASH D ] Aug 4 08:04:32 vpn01 charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI 168c51e1 Aug 4 08:04:32 vpn01 charon: 08[IKE] CHILD_SA not found, ignored Aug 4 08:04:32 vpn01 charon: 16[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (92 bytes) Aug 4 08:04:32 vpn01 charon: 16[ENC] parsed INFORMATIONAL_V1 request 3851758626 [ HASH D ] Aug 4 08:04:32 vpn01 charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 168c51e2 Aug 4 08:04:32 vpn01 charon: 16[IKE] CHILD_SA not found, ignored Aug 4 08:04:32 vpn01 charon: 12[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (92 bytes) Aug 4 08:04:32 vpn01 charon: 12[ENC] parsed INFORMATIONAL_V1 request 3352306708 [ HASH D ] Aug 4 08:04:32 vpn01 charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 168c51e4 Aug 4 08:04:32 vpn01 charon: 12[IKE] CHILD_SA not found, ignored Aug 4 08:04:32 vpn01 charon: 11[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (572 bytes) Aug 4 08:04:32 vpn01 charon: 11[ENC] parsed QUICK_MODE request 2074613372 [ HASH SA No KE ID ID ] Aug 4 08:04:32 vpn01 charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_3072/NO_EXT_SEQ Aug 4 08:04:32 vpn01 charon: 11[IKE] received 3600s lifetime, configured 86400s Aug 4 08:04:32 vpn01 charon: 15[IKE] remote host is behind NAT Aug 4 08:04:32 vpn01 charon: 14[IKE] remote host is behind NAT Aug 4 08:04:32 vpn01 charon: 11[ENC] generating QUICK_MODE response 2074613372 [ HASH SA No KE ID ID ] Aug 4 08:04:33 vpn01 charon: 11[NET] sending packet: from strongswan_ip[4500] to forti_ip[4500] (588 bytes) Aug 4 08:04:33 vpn01 charon: 12[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (604 bytes) Aug 4 08:04:33 vpn01 charon: 12[ENC] invalid HASH_V1 payload length, decryption failed? Aug 4 08:04:33 vpn01 charon: 12[ENC] could not decrypt payloads Aug 4 08:04:33 vpn01 charon: 12[IKE] message parsing failed Aug 4 08:04:33 vpn01 charon: 12[ENC] generating INFORMATIONAL_V1 request 2030801044 [ HASH N(PLD_MAL) ] Aug 4 08:10:03 vpn01 charon: 10[IKE] giving up after 5 retransmits Aug 4 08:10:03 vpn01 charon: 10[IKE] restarting CHILD_SA remote01-lan Aug 4 08:10:03 vpn01 charon: 10[IKE] initiating Main Mode IKE_SA remote01-base[151609] to forti_ip Aug 4 08:10:03 vpn01 charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ] Aug 4 08:10:03 vpn01 charon: 10[NET] sending packet: from strongswan_ip[500] to forti_ip[500] (240 bytes) Aug 4 08:10:03 vpn01 charon: 10[IKE] restarting CHILD_SA remote01-wifi Aug 4 08:10:03 vpn01 charon: 11[NET] received packet: from forti_ip[500] to strongswan_ip[500] (188 bytes) Aug 4 08:10:03 vpn01 charon: 11[ENC] parsed ID_PROT response 0 [ SA V V V V V ] Aug 4 08:10:03 vpn01 charon: 11[IKE] received NAT-T (RFC 3947) vendor ID Aug 4 08:10:03 vpn01 charon: 11[IKE] received DPD vendor ID Aug 4 08:10:03 vpn01 charon: 11[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 Aug 4 08:10:03 vpn01 charon: 11[IKE] received FRAGMENTATION vendor ID Aug 4 08:10:03 vpn01 charon: 11[IKE] received FRAGMENTATION vendor ID Aug 4 08:10:03 vpn01 charon: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 Aug 4 08:10:03 vpn01 charon: 08[KNL] creating delete job for CHILD_SA ESP/0xc4e0d6cf/strongswan_ip Aug 4 08:10:03 vpn01 charon: 08[JOB] CHILD_SA ESP/0xc4e0d6cf/strongswan_ip not found for delete Aug 4 08:10:03 vpn01 charon: 06[KNL] creating delete job for CHILD_SA ESP/0xc0b04a54/strongswan_ip Aug 4 08:10:03 vpn01 charon: 06[JOB] CHILD_SA ESP/0xc0b04a54/strongswan_ip not found for delete Aug 4 08:10:03 vpn01 charon: 11[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 4 08:10:03 vpn01 charon: 11[NET] sendi
[strongSwan] Cannot connect from roadwarrior linux client to server with Letsencrypt cert
Hi. I've setup a roadwarrior server with Strongswan 5.8.2. Windows 10 clients connect successfully, while Linux ones don't. When I try to bring up the connection I get: received end entity cert "CN=vpn01.server.it" using certificate "CN=vpn01.server.it" using trusted intermediate ca certificate "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA" checking certificate status of "CN=vpn01.server.it" requesting ocsp status from 'http://zerossl.ocsp.sectigo.com' ... nonce in ocsp response doesn't match ocsp check failed, fallback to crl certificate status is not available no issuer certificate found for "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA" issuer is "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" no trusted RSA public key found for 'vpn01.server.it' generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 75.1.1.6[4500] to 95.1.8.6[4500] (65 bytes) establishing connection 'vpn-vpn01' failed In /etc/ipsec.d/cacerts I copied fullchain and ca pem files from the server. The LE certificate has been issued using acme.sh, ZeroSSL comes from that. I tried downloading OCSP cert directly from the website but didn't know how to do... thanks. -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Re: [strongSwan] VPN Suddenly Stopped Forwarding Internet
Hello Jody, Please provide the output of `iptables-save`, and the output of `ipsec statusall` once you tried to access the internet, but while the client is still connected. Kind regards Noel Am 02.08.21 um 20:26 schrieb Jody Whitesides: Having trouble trying to understand why VPN would suddenly stop allowing traffic to the internet (despite no changes to the server and was working fine for months). Devices can connect to the VPN and logs show they connect. However, they no longer get traffic to the internet or to the server itself. Unfortunately I don’t understand the logs enough to know the direct reason, but I’ve included some connection logs after the config. Any help that can lead to a fix would be appreciated. Here’s the config: config setup charondebug ="dmn 1,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 1,enc 1,tnc 1" uniqueids =no conn %default # ike =aes256-sha1-modp1024,3des-sha1-modp1024! # esp =aes256-sha1,3des-sha1! fragmentation =yes auto =add dpdaction =clear dpddelay =40 dpdtimeout =130 ikelifetime =1h lifetime =1h margintime =9m rekeyfuzz =100% # rekey =yes aggressive =no forceencaps =yes left =%any leftid =(serverIP) leftcert =(link to cert) leftsendcert =always leftsubnet =0.0.0.0/0,::/0 right =%any rightid =%any # rightauth =eap-mschapv2 rightdns =45.76.254.23,172.98.193.62,2001:19f0:5401:2a4a:5400:03ff:fe2b:271f rightsourceip =10.10.10.1/24 rightsubnet =%dynamic #conn mac # keyexchange =ikev1 # authby =xauthpsk # xauth =server # reauth =yes conn ios ike =aes256-sha1-modp1024,3des-sha1-modp1024! esp =aes256-sha1,3des-sha1! keyexchange =ikev1 mobike =yes reauth =yes rekey =yes leftallowany =yes lefthostaccess =yes leftfirewall =yes leftauth =pubkey rightallowany =yes rightauth =pubkey rightauth2 =xauth rightfirewall =yes rightcert =(link to cert) conn ikev2-vpn ike =chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes128-sha1-modp1024,aes256-sha1-modp1024,3d> esp =chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! keyexchange =ikev2 type =tunnel compress =no rekey =no rightauth =eap-mschapv2 rightsendcert =never eap_identity =%identity Here’s the Log: Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[NET] received packet: from [IP of Device][500] to [IP of Server][500] (848 bytes) Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ] Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received NAT-T (RFC 3947) vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received XAuth vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received Cisco Unity vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received FRAGMENTATION vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] received DPD vendor ID Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[IKE] [IP of Device] is initiating a Main Mode IKE_SA Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Aug 2 12:13:34 jodywhitesides *charon*-custom: 06[ENC] generating ID_PROT response 0
