Re: [strongSwan] IKE_SA_INIT response with notification data missing

Mon, 16 Apr 2018 02:04:37 -0700 

Hi Balaji,

RFC 4739 "Multiple Authenticaton Exchanges in IKEv2"

  https://tools.ietf.org/html/rfc4739#section-3.1

defines the format of the MULTIPLE_AUTH_SUPPORT Notify Payload as

3.1.  MULTIPLE_AUTH_SUPPORTED Notify Payload

   The MULTIPLE_AUTH_SUPPORTED notification is included in the
   IKE_SA_INIT response or the first IKE_AUTH request to indicate that
   the peer supports this specification.  The Notify Message Type is
   MULTIPLE_AUTH_SUPPORTED (16404).  The Protocol ID and SPI Size fields
   MUST be set to zero, and there is no data associated with this Notify
   type.

So I don't understand why you expect notification data?

Regards

Andreas

On 15.04.2018 04:42, Balaji Thoguluva Bapulal wrote:

Dear users,

I am trying to establish a IKEv2/IPsec tunnel from a security gateway
towards strongswan with strongswan acting as a responder. In response to
IKE_SA_INIT request packet, strongswan sends back IKE_SA_INIT response
with a Notify payload of MULTIPLE_AUTH_SUPPORTED with notification data
missing. I have attached the wireshark. It would be great if someone can
explain why this behavior.

[IKEv2]$ ipsec --version

Linux strongSwan U5.3.0/K3.8.13-16.2.1.el6uek.x86_64

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil, Switzerland

See 'ipsec --copyright' for copyright information.

The following is the configuration.

config setup

         charondebug=all

conn %default

     keyingtries=1

     keyexchange=ikev2

     reauth=no

conn psk

         left=172.16.55.62

         leftsourceip=%config%

         leftfirewall=no

         leftauth=psk

         leftsubnet=172.16.0.0/16

         right=172.16.135.192

         rightid=172.16.135.192

         rightsubnet=172.16.0.0/16

         rightauth=psk

         esp=3des-aes-sha1-md5-modp1024

         ike=3des-sha1-md5-modp1024

         auto=add

         type=tunnel

Thanks,

Balaji



--
======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to