Strongswan - Issue #370 Length of Configuration - Attribute - V1 Substructure List Invalid

strongSwan - Issue #370
length of CONFIGURATION_ATTRIBUTE_V1 substructure list invalid

30.07.2013 15:44 - G S
Status: Closed
Priority: Normal
Assignee: Tobias Brunner
Category: configuration
Affected version: 4.4.1 Resolution: Fixed
Description
I have already spent more that 12h to configure PSK+XAUTH. It worked fine with 4.5.2 version but it is not working with 5.0.4.
Here are the configurations:

server side (v5.0.4):
cat /etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = never
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
# Add connections here.
conn radius
left=172.31.30.10
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftauth=psk
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=10.2.0.0/16
auto=add
cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
172.31.30.10 : PSK "12345"
carol : XAUTH "12345"
Client side (v4.4.1):

cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
29.04.2021 1/6
# cachecrls=yes
# nat_traversal=yes
# charonstart=yes
# plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
xauth=client
conn home4.0
left=%defaultroute
leftfirewall=yes
leftsourceip=%modeconfig
right=172.31.30.11
rightsubnet=0.0.0.0/0
xauth_identity=carol
auto=add
pfs=no
conn home5.0
left=%defaultroute
leftfirewall=yes
leftsourceip=%modeconfig
right=172.31.30.10
rightsubnet=0.0.0.0/0
xauth_identity=carol
auto=add
pfs=no
cat /etc/ipsec.secrets
include /var/lib/strongswan/ipsec.secrets.inc
172.31.30.8 : PSK "12345"
carol : XAUTH "12345"
And here is an output from the syslog at the server side:
Jul 30 15:37:39 debian-vpn charon: 00[DMN] signal of type SIGINT received. Shutting down
Jul 30 15:37:42 debian-vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6
.32-5-amd64, x86_64)
Jul 30 15:37:42 debian-vpn charon: 00[CFG] sql plugin: database URI not set
Jul 30 15:37:42 debian-vpn charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create return
ed NULL
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocs
pcerts'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acert
s'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded IKE secret for 172.31.30.10
Jul 30 15:37:42 debian-vpn charon: 00[CFG] loaded EAP secret for carol
Jul 30 15:37:42 debian-vpn charon: 00[DMN] loaded plugins: charon test-vectors mysql aes des sha1
sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf g
mp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 ea
p-mschapv2 eap-radius xauth-generic xauth-eap
29.04.2021 2/6
Jul 30 15:37:42 debian-vpn charon: 00[JOB] spawning 16 worker threads
Jul 30 15:37:42 debian-vpn charon: 09[CFG] received stroke: add connection 'radius'
Jul 30 15:37:42 debian-vpn charon: 09[CFG] adding virtual IP address pool 10.2.0.0/16
Jul 30 15:37:42 debian-vpn charon: 09[CFG] added configuration 'radius'
Jul 30 15:38:22 debian-vpn charon: 10[NET] received packet: from 172.31.30.8[500] to 172.31.30.10[
500] (168 bytes)
Jul 30 15:38:22 debian-vpn charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V ]
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received strongSwan vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received XAuth vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] received DPD vendor ID
Jul 30 15:38:22 debian-vpn charon: 10[IKE] 172.31.30.8 is initiating a Main Mode IKE_SA
Jul 30 15:38:22 debian-vpn charon: 10[ENC] generating ID_PROT response 0 [ SA V V ]
Jul 30 15:38:22 debian-vpn charon: 10[NET] sending packet: from 172.31.30.10[500] to 172.31.30.8[5
00] (116 bytes)
500] (308 bytes)
Jul 30 15:38:22 debian-vpn charon: 11[ENC] parsed ID_PROT request 0 [ KE No ]
Jul 30 15:38:22 debian-vpn charon: 11[ENC] generating ID_PROT response 0 [ KE No ]
00] (324 bytes)
500] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Jul 30 15:38:22 debian-vpn charon: 12[CFG] looking for XAuthInitPSK peer configs matching 172.31.3
0.10...172.31.30.8[172.31.30.8]
Jul 30 15:38:22 debian-vpn charon: 12[CFG] selected peer config "radius"
Jul 30 15:38:22 debian-vpn charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
00] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 12[ENC] generating TRANSACTION request 375591222 [ HASH CP ]
00] (76 bytes)
500] (92 bytes)
Jul 30 15:38:22 debian-vpn charon: 13[ENC] length of CONFIGURATION_ATTRIBUTE_V1 substructure lis
t invalid
Jul 30 15:38:22 debian-vpn charon: 13[ENC] could not decrypt payloads
Jul 30 15:38:22 debian-vpn charon: 13[IKE] message parsing failed
Jul 30 15:38:22 debian-vpn charon: 13[ENC] generating INFORMATIONAL_V1 request 2362884502 [ HASH N
(PLD_MAL) ]
00] (76 bytes)
Jul 30 15:38:22 debian-vpn charon: 13[IKE] TRANSACTION response with message ID 375591222 processi
ng failed
Jul 30 15:38:26 debian-vpn charon: 14[IKE] sending retransmit 1 of request message ID 375591222, s
eq 1
00] (76 bytes)
500] (92 bytes)
Jul 30 15:38:32 debian-vpn charon: 15[ENC] length of CONFIGURATION_ATTRIBUTE_V1 substructure lis
t invalid
Jul 30 15:38:32 debian-vpn charon: 15[ENC] generating INFORMATIONAL_V1 request 586950680 [ HASH N(
PLD_MAL) ]
00] (76 bytes)
Jul 30 15:38:32 debian-vpn charon: 15[IKE] TRANSACTION response with message ID 375591222 processi
ng failed
Jul 30 15:38:33 debian-vpn charon: 01[IKE] sending retransmit 2 of request message ID 375591222, s
eq 1
00] (76 bytes)
Can anyone explain what length of CONFIGURATION_ATTRIBUTE_V1 substructure list invalid is?
Is it possible to configure PSK + generic XAUTH (ipsec.secrets) in 5.0.4 version? Can you help?
29.04.2021 3/6
Thanks in advance,
Gabriel
History
#1 - 30.07.2013 15:51 - G S
And here is the output from the client:
root@debian:/home/debian# ipsec up home5.0
002 "home5.0" #8: initiating Main Mode
104 "home5.0" #8: STATE_MAIN_I1: initiate
003 "home5.0" #8: received Vendor ID payload [XAUTH]
003 "home5.0" #8: received Vendor ID payload [Dead Peer Detection]
106 "home5.0" #8: STATE_MAIN_I2: sent MI2, expecting MR2
108 "home5.0" #8: STATE_MAIN_I3: sent MI3, expecting MR3
002 "home5.0" #8: Peer ID is ID_IPV4_ADDR: '172.31.30.10'
002 "home5.0" #8: ISAKMP SA established
004 "home5.0" #8: STATE_MAIN_I4: ISAKMP SA established
002 "home5.0" #8: parsing XAUTH request
002 "home5.0" #8: sending XAUTH reply
120 "home5.0" #8: STATE_XAUTH_I1: sent XAUTH reply, expecting status
003 "home5.0" #8: byte 2 of ISAKMP Hash Payload must be zero, but is not
003 "home5.0" #8: malformed payload in packet
003 "home5.0" #8: discarding duplicate packet; already STATE_XAUTH_I1
010 "home5.0" #8: STATE_XAUTH_I1: retransmission; will wait 20s for response
003 "home5.0" #8: next payload type of ISAKMP Hash Payload has an unknown value: 182
003 "home5.0" #8: malformed payload in packet
003 "home5.0" #8: discarding duplicate packet; already STATE_XAUTH_I1
#2 - 30.07.2013 17:09 - Tobias Brunner

- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Affected version changed from 5.0.4 to 4.4.1
- Resolution set to Fixed
This is caused by a bug in 4.4.1 that was fixed by 1f2c3283, which was included in 4.5.0.
#3 - 30.07.2013 17:45 - G S
Tobias Brunner wrote:
I have to say that I do not fully understand you answer. I am using v5.0.4 at the server side and yes v4.4.1 at the client side but...
I have a very similar problem while trying to connect from ipad, here is the output:
Jul 30 17:41:46 debian-vpn charon: 00[DMN] signal of type SIGINT received. Shutting down
Jul 30 17:41:49 debian-vpn charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-5-amd64,
x86_64)
Jul 30 17:41:49 debian-vpn charon: 00[CFG] sql plugin: database URI not set
Jul 30 17:41:49 debian-vpn charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded IKE secret for 172.31.30.10
Jul 30 17:41:49 debian-vpn charon: 00[CFG] loaded EAP secret for carol
Jul 30 17:41:49 debian-vpn charon: 00[DMN] loaded plugins: charon test-vectors mysql aes des sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr k
ernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic
xauth-eap
Jul 30 17:41:49 debian-vpn charon: 00[JOB] spawning 16 worker threads
Jul 30 17:41:49 debian-vpn charon: 10[CFG] received stroke: add connection 'radius'
Jul 30 17:41:49 debian-vpn charon: 10[CFG] adding virtual IP address pool 10.2.0.0/16
Jul 30 17:41:49 debian-vpn charon: 10[CFG] added configuration 'radius'
Jul 30 17:42:04 debian-vpn charon: 02[NET] received packet: from 172.31.30.4[500] to 172.31.30.10[500] (572 by
29.04.2021 4/6
tes)
Jul 30 17:42:04 debian-vpn charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received XAuth vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received Cisco Unity vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] received DPD vendor ID
Jul 30 17:42:04 debian-vpn charon: 02[IKE] 172.31.30.4 is initiating a Main Mode IKE_SA
Jul 30 17:42:04 debian-vpn charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ]
Jul 30 17:42:04 debian-vpn charon: 02[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (136 byt
es)
tes)
Jul 30 17:42:05 debian-vpn charon: 12[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 30 17:42:05 debian-vpn charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 30 17:42:05 debian-vpn charon: 12[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (244 byt
es)
tes)
Jul 30 17:42:05 debian-vpn charon: 13[ENC] invalid ID_V1 payload length, decryption failed?
Jul 30 17:42:05 debian-vpn charon: 13[ENC] generating INFORMATIONAL_V1 request 3653904164 [ HASH N(PLD_MAL) ]
Jul 30 17:42:05 debian-vpn charon: 13[NET] sending packet: from 172.31.30.10[500] to 172.31.30.4[500] (76 byte
s)
Jul 30 17:42:05 debian-vpn charon: 13[IKE] ID_PROT request with message ID 0 processing failed
tes)
s)
tes)
s)
tes)
s)
It worked very well with 4.5.2 version.
Gabriel
#4 - 30.07.2013 17:54 - Tobias Brunner
29.04.2021 5/6
Well, it's the client (4.4.1) that does something wrong here (it sends additional data behind the XAuth secret). So unless you update the client (or use
IKEv2, which is recommended for strongSwan<->strongSwan connections anyway) this won't work with newer strongSwan releases. It could be that
pluto (the IKEv1 daemon that was used until 5.0.0) handled those invalid payloads a bit more lenient, which might be why it worked with 4.5.2.
This is clearly not the same problem. It breaks earlier and from the log message it looks like something with the PSK is wrong (e.g. most likely a typo
on the iOS client).
#5 - 30.07.2013 18:04 - G S
Tobias Brunner wrote:
Well, it's the client (4.4.1) that does something wrong here (it sends additional data behind the XAuth secret). So unless you update the client
(or use IKEv2, which is recommended for strongSwan<->strongSwan connections anyway) this won't work with newer strongSwan releases. It
could be that pluto (the IKEv1 daemon that was used until 5.0.0) handled those invalid payloads a bit more lenient, which might be why it worked
with 4.5.2.
This is clearly not the same problem. It breaks earlier and from the log message it looks like something with the PSK is wrong (e.g. most likely a
typo on the iOS client).
Thanks a lot Tobias for an excellent support.
Regards,
G.S.
29.04.2021 6/6

Strongswan - Issue #370 Length of Configuration - Attribute - V1 Substructure List Invalid

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Strongswan - Issue #370 Length of Configuration - Attribute - V1 Substructure List Invalid

Uploaded by

Copyright:

Available Formats

strongSwan - Issue #370

length of CONFIGURATION_ATTRIBUTE_V1 substructure list invalid

Here are the configurations:

Client side (v4.4.1):

And here is an output from the syslog at the server side:

#2 - 30.07.2013 17:09 - Tobias Brunner

It worked very well with 4.5.2 version.

#4 - 30.07.2013 17:54 - Tobias Brunner

Thanks a lot Tobias for an excellent support.

You might also like