[Swan] IKE SA authentication request rejected by peer: INVALID_SYNTAX

[John Crisp via Swan]

Hi,

be grateful for some help!
Trying to figure out what is going on with my Libre installation.

I keep getting the subject errors and the VPN pauses for several seconds 
as it renegotiates.

This occurs on 3 different installs that I have. All use the same certs 
from the same CA built via a template to reduce the chances of me making 
a mess of it ;-)

Almost certainly a misconfiguration, probably in the certs, but not sure 
which bit.

B. Rgds

John


Libreswan 4.12 built from github source on CentOS 7

Connecting to a Mikrotik Router with RouterOS 6

Errors:

INFORMATIONAL response has no corresponding IKE SA; message dropped

IKE SA authentication request rejected by peer: INVALID_SYNTAX


conn TestToHomeMain

type=tunnel
    leftcert="Test_Server"
    rightcert="Mikrotik_Router"
    auto=add
    ikev2=insist
    ike=aes256-sha2;dh16
    esp=aes256-sha2
    encapsulation=no
    keyingtries=%forever
    ikelifetime=3600s
    salifetime=28800s
    dpdaction=restart
    dpddelay=30
    retransmit-timeout=10
    pfs=yes
    left=%defaultroute
    leftid=%fromcert
    leftsourceip=192.168.97.1
    leftsubnet=192.168.97.0/24
    right=my.home.ip.addr
    rightid=%fromcert
    rightsubnet=192.168.10.0/24
    reauth=yes


The Mikrotik just shows this error:

payload missing: SA

Libreswan log:

Feb 19 11:47:50.144703: loading secrets from "/etc/ipsec.secrets"
Feb 19 11:47:50.144781: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Feb 19 11:47:54.203972: "TestToHomeMain" #1: proposal 
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 11:47:54.210021: "TestToHomeMain" #1: sent IKE_SA_INIT reply 
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP4096}
Feb 19 11:47:58.047830: "TestToHomeMain" #1: processing decrypted 
IKE_AUTH request: SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 11:47:58.053351: "TestToHomeMain" #1: reloaded private key 
matching left certificate 'Test_Server'
Feb 19 11:47:58.053702: "TestToHomeMain" #1: responder established IKE 
SA; authenticated peer '4096-bit PKCS#1 1.5 RSA with SHA1' signature 
using peer certificate 'C=Xx, ST=State, L=Town, O=Company, OU=IT, 
CN=Mikrotik_Router, E=ead...@mydomain.com' issued by CA 'C=Xx, ST=State, 
L=Town, O=Company, OU=IT, CN=CA_Company, E=ad...@mycompany.com'
Feb 19 11:47:58.081239: "TestToHomeMain" #2: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=0d60ffc8 chosen from 
remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 11:47:58.128809: "TestToHomeMain" #2: responder established Child 
SA using #1; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0d60ffc8 <0xd92d3260 
xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 11:47:58.129292: netlink_expire got message with length 68 < 232 
bytes; ignore message
Feb 19 12:02:58.861473: "TestToHomeMain" #1: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for 
response
Feb 19 12:02:59.361763: "TestToHomeMain" #1: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for 
response
Feb 19 12:03:00.362203: "TestToHomeMain" #1: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds for 
response
Feb 19 12:12:17.214206: "TestToHomeMain" #3: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED SPI=0981498e 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 12:12:17.222022: "TestToHomeMain" #3: responder rekeyed Child SA 
#2 using #1; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0981498e <0x06caca24 
xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096 DPD=active}
Feb 19 12:12:29.242019: "TestToHomeMain" #2: ESP traffic information: 
in=0B out=0B
Feb 19 12:36:39.311720: "TestToHomeMain" #4: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED SPI=015d5fdf 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 12:36:39.319453: "TestToHomeMain" #4: responder rekeyed Child SA 
#3 using #1; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x015d5fdf <0xd995cc03 
xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096 DPD=active}
Feb 19 12:36:45.411744: "TestToHomeMain" #3: ESP traffic information: 
in=0B out=0B
Feb 19 12:47:58.090049: "TestToHomeMain" #1: initiate reauthentication 
of IKE SA
Feb 19 12:47:58.090269: "TestToHomeMain" #5: initiating IKEv2 connection 
to replace established IKE SA #1
Feb 19 12:47:58.091242: "TestToHomeMain" #1: IKE SA expired (LATEST!)
Feb 19 12:47:58.091281: "TestToHomeMain" #4: ESP traffic information: 
in=0B out=0B
Feb 19 12:47:58.102162: "TestToHomeMain" #1: deleting state 
(STATE_V2_ESTABLISHED_IKE_SA) aged 3603.898215s and sending notification
Feb 19 12:47:58.102682: "TestToHomeMain" #5: sent IKE_SA_INIT request to 
my.home.ip.addr:500
Feb 19 12:47:58.137858: packet from my.home.ip.addr:4500: INFORMATIONAL 
response has no corresponding IKE SA; message dropped
Feb 19 12:47:58.603416: "TestToHomeMain" #5: STATE_V2_PARENT_I1: 
retransmission; will wait 0.5 seconds for response
Feb 19 12:47:59.104080: "TestToHomeMain" #5: STATE_V2_PARENT_I1: 
retransmission; will wait 1 seconds for response
Feb 19 12:48:00.105285: "TestToHomeMain" #5: STATE_V2_PARENT_I1: 
retransmission; will wait 2 seconds for response
Feb 19 12:48:02.107516: "TestToHomeMain" #5: STATE_V2_PARENT_I1: 
retransmission; will wait 4 seconds for response
Feb 19 12:48:04.216662: "TestToHomeMain" #5: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 12:48:04.218295: "TestToHomeMain" #5: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 12:48:04.218399: "TestToHomeMain" #5: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 12:48:04.219154: "TestToHomeMain" #5: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 12:48:04.228016: "TestToHomeMain" #5: omitting CHILD SA payloads
Feb 19 12:48:04.228273: "TestToHomeMain" #5: sent IKE_AUTH request 
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP4096}
Feb 19 12:48:04.308634: "TestToHomeMain" #5: IKE SA authentication 
request rejected by peer: INVALID_SYNTAX
Feb 19 12:48:04.308686: "TestToHomeMain" #5: encountered fatal error in 
state STATE_V2_PARENT_I2
Feb 19 12:48:04.308697: "TestToHomeMain" #5: deleting state 
(STATE_V2_PARENT_I2) aged 6.218559s and NOT sending notification
Feb 19 12:48:07.662370: "TestToHomeMain" #6: proposal 
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 12:48:07.667879: "TestToHomeMain" #6: sent IKE_SA_INIT reply 
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP4096}
Feb 19 12:48:11.654302: "TestToHomeMain" #6: processing decrypted 
IKE_AUTH request: SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 12:48:11.657299: "TestToHomeMain" #6: responder established IKE 
SA; authenticated peer '4096-bit PKCS#1 1.5 RSA with SHA1' signature 
using peer certificate 'C=Xx, ST=State, L=Town, O=Company, OU=IT, 
CN=Mikrotik_Router, E=ead...@mydomain.com' issued by CA 'C=Xx, ST=State, 
L=Town, O=Company, OU=IT, CN=CA_Company, E=ad...@mycompany.com'
Feb 19 12:48:11.674011: "TestToHomeMain" #7: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=08869ac9 chosen from 
remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 12:48:11.686870: "TestToHomeMain" #7: responder established Child 
SA using #6; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x08869ac9 <0x1a9a0654 
xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 12:59:42.327811: "TestToHomeMain" #6: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for 
response
Feb 19 13:03:12.372786: "TestToHomeMain" #6: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for 
response
Feb 19 13:03:12.873462: "TestToHomeMain" #6: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds for 
response
Feb 19 13:03:13.874602: "TestToHomeMain" #6: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds for 
response
Feb 19 13:12:33.743349: "TestToHomeMain" #8: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED SPI=00268b22 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 13:12:33.751055: "TestToHomeMain" #8: responder rekeyed Child SA 
#7 using #6; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x00268b22 <0xaf6d25af 
xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096 DPD=active}
Feb 19 13:12:39.743171: "TestToHomeMain" #7: ESP traffic information: 
in=0B out=0B
Feb 19 13:24:10.455925: "TestToHomeMain" #6: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for 
response
Feb 19 13:36:58.743539: "TestToHomeMain" #9: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED SPI=0a14e80a 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 13:36:58.751699: "TestToHomeMain" #9: responder rekeyed Child SA 
#8 using #6; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0a14e80a <0x449c4b7f 
xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096 DPD=active}
Feb 19 13:37:01.730555: "TestToHomeMain" #8: ESP traffic information: 
in=0B out=0B
Feb 19 13:44:34.281255: packet from 162.243.132.48:43105: initial Main 
Mode message received but no connection has been authorized with 
authby=PSK and xauth=no
Feb 19 13:48:11.676247: "TestToHomeMain" #6: initiate reauthentication 
of IKE SA
Feb 19 13:48:11.676354: "TestToHomeMain" #10: initiating IKEv2 
connection to replace established IKE SA #6
Feb 19 13:48:11.677214: "TestToHomeMain" #6: IKE SA expired (LATEST!)
Feb 19 13:48:11.677275: "TestToHomeMain" #9: ESP traffic information: 
in=0B out=0B
Feb 19 13:48:11.687904: "TestToHomeMain" #6: deleting state 
(STATE_V2_ESTABLISHED_IKE_SA) aged 3604.02555s and sending notification
Feb 19 13:48:11.688291: "TestToHomeMain" #10: sent IKE_SA_INIT request 
to my.home.ip.addr:500
Feb 19 13:48:11.723318: packet from my.home.ip.addr:4500: INFORMATIONAL 
response has no corresponding IKE SA; message dropped
Feb 19 13:48:12.188950: "TestToHomeMain" #10: STATE_V2_PARENT_I1: 
retransmission; will wait 0.5 seconds for response
Feb 19 13:48:12.689198: "TestToHomeMain" #10: STATE_V2_PARENT_I1: 
retransmission; will wait 1 seconds for response
Feb 19 13:48:13.690434: "TestToHomeMain" #10: STATE_V2_PARENT_I1: 
retransmission; will wait 2 seconds for response
Feb 19 13:48:15.692626: "TestToHomeMain" #10: STATE_V2_PARENT_I1: 
retransmission; will wait 4 seconds for response
Feb 19 13:48:17.588722: "TestToHomeMain" #10: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 13:48:17.590321: "TestToHomeMain" #10: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 13:48:17.590472: "TestToHomeMain" #10: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 13:48:17.591205: "TestToHomeMain" #10: discarding packet received 
during asynchronous work (DNS or crypto) in STATE_V2_PARENT_I1
Feb 19 13:48:17.602017: "TestToHomeMain" #10: omitting CHILD SA payloads
Feb 19 13:48:17.602256: "TestToHomeMain" #10: sent IKE_AUTH request 
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP4096}
Feb 19 13:48:17.682241: "TestToHomeMain" #10: IKE SA authentication 
request rejected by peer: INVALID_SYNTAX
Feb 19 13:48:17.682280: "TestToHomeMain" #10: encountered fatal error in 
state STATE_V2_PARENT_I2
Feb 19 13:48:17.682290: "TestToHomeMain" #10: deleting state 
(STATE_V2_PARENT_I2) aged 6.005973s and NOT sending notification
Feb 19 13:48:21.184062: "TestToHomeMain" #11: proposal 
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096 chosen from 
remote proposals 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 13:48:21.189812: "TestToHomeMain" #11: sent IKE_SA_INIT reply 
{cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP4096}
Feb 19 13:48:25.035144: "TestToHomeMain" #11: processing decrypted 
IKE_AUTH request: SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 13:48:25.037223: "TestToHomeMain" #11: responder established IKE 
SA; authenticated peer '4096-bit PKCS#1 1.5 RSA with SHA1' signature 
using peer certificate 'C=Xx, ST=State, L=Town, O=Company, OU=IT, 
CN=Mikrotik_Router, E=ead...@mydomain.com' issued by CA 'C=Xx, ST=State, 
L=Town, O=Company, OU=IT, CN=CA_Company, E=ad...@mycompany.com'
Feb 19 13:48:25.052800: "TestToHomeMain" #12: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=068ef734 chosen from 
remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 13:48:25.066477: "TestToHomeMain" #12: responder established 
Child SA using #11; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] 
-> [192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x068ef734 <0xe0388687 
xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 14:09:25.911176: "TestToHomeMain" #11: 
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5 seconds for 
response
Feb 19 14:12:37.145710: "TestToHomeMain" #13: proposal 
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED SPI=01dc22ca 
chosen from remote proposals 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 14:12:37.153530: "TestToHomeMain" #13: responder rekeyed Child SA 
#12 using #11; IPsec tunnel [192.168.97.0-192.168.97.255:0-65535 0] -> 
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x01dc22ca <0xde7f60d4 
xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096 DPD=active}
Feb 19 14:12:49.122665: "TestToHomeMain" #12: ESP traffic information: 
in=0B out=0B

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan