Como resolvi o “Erro 13843: carga inválida recebida”?

2

Quando o Windows 8 tenta se conectar ao meu Strongswan VPN, recebo o seguinte erro,

Error 13843: Invalid Payload Received.

Não sei como resolvê-lo ou o que o causa. Meu log de charon tem isso,

15[IKE] IKE_SA roadwarrior[2] established between 10.0.10.81[DNREDACTED1]...75.108.226.117[DNREDACTED2]
15[IKE] scheduling reauthentication in 9771s
15[IKE] maximum IKE_SA lifetime 10311s
15[IKE] sending end entity cert "REDACTED GW CERT"
15[IKE] peer requested virtual IP %any
15[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
15[IKE] configuration payload negotiation failed, no CHILD_SA built
15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
15[NET] sending packet: from 10.0.10.81[4500] to 75.108.226.117[4500]
16[NET] received packet: from 75.108.226.117[4500] to 10.0.10.81[4500]
16[ENC] parsed INFORMATIONAL request 2 [ D ]
16[IKE] received DELETE for IKE_SA roadwarrior[2]
16[IKE] deleting IKE_SA roadwarrior[2] between 10.0.10.81[DNREDACTED1]...75.108.226.117[DNREDACTED2]
16[IKE] IKE_SA deleted
16[ENC] generating INFORMATIONAL response 2 [ ]
16[NET] sending packet: from 10.0.10.81[4500] to 75.108.226.117[4500]

ipsec.conf

conn %default                                                                                                                                                                                                                                
  dpdaction=clear                                                                                                                                                                                                                            
  dpddelay=300s                                                                                                                                                                                                                              
  keyexchange=ikev2                                                                                                                                                                                                                          
  auto=add                                                                                                                                                                                                                                   

conn roadwarrior                                                                                                                                                                                                                             
  keyexchange=ikev2                                                                                                                                                                                                                          
  auto=add                                                                                                                                                                                                                                   
  left=%defaultroute                                                                                                                                                                                                                         
  leftcert=gw-cert.pem                                                                                                                                                                                                                       
  leftsubnet=10.0.10.0/24                                                                                                                                                                                                                    
  right=%any                                                                                                                                                                                                                                 
  rightsubnet=192.168.1.1/24

strongswan.conf

charon {                                                                                                                                                                                                                                     
  threads = 16;                                                                                                                                                                                                                              

    # Two defined file loggers. Each subsection is either a file                                                                                                                                                                             
    # in the filesystem or one of: stdout, stderr.                                                                                                                                                                                           
    filelog {                                                                                                                                                                                                                                
        /var/log/charon.log {                                                                                                                                                                                                                
            # add a timestamp prefix                                                                                                                                                                                                         
            time_format = %b %e %T                                                                                                                                                                                                           
            # loggers to files also accept the append option to open files in                                                                                                                                                                
            # append mode at startup (default is yes)                                                                                                                                                                                        
            append = no                                                                                                                                                                                                                      
            # the default loglevel for all daemon subsystems (defaults to 1).                                                                                                                                                                
            default = 1                                                                                                                                                                                                                      
            # flush each line to disk                                                                                                                                                                                                        
            flush_line = yes                                                                                                                                                                                                                 
        }                                                                                                                                                                                                                                    
        stderr {                                                                                                                                                                                                                             
            # more detailed loglevel for a specific subsystem, overriding the                                                                                                                                                                
            # default loglevel.                                                                                                                                                                                                              
            ike = 2                                                                                                                                                                                                                          
            knl = 3                                                                                                                                                                                                                          
            # prepend connection name, simplifies grepping                                                                                                                                                                                   
            ike_name = yes                                                                                                                                                                                                                   
        }                                                                                                                                                                                                                                    
    }                                                                                                                                                                                                                                        
    # And two loggers using syslog. The subsections define the facility to log                                                                                                                                                               
    # to, currently one of: daemon, auth.                                                                                                                                                                                                    
    syslog {                                                                                                                                                                                                                                 
        # optional identifier used with openlog(3), prepended to each log message                                                                                                                                                            
        # by syslog. if not configured, openlog(3) is not called, so the value will                                                                                                                                                          
        # depend on system defaults (usually the program name)                                                                                                                                                                               
        identifier = charon-custom                                                                                                                                                                                                           
        # default level to the LOG_DAEMON facility                                                                                                                                                                                           
        daemon {                                                                                                                                                                                                                             
        }                                                                                                                                                                                                                                    
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV                                                                                                                                                                                
        auth {                                                                                                                                                                                                                               
            default = -1                                                                                                                                                                                                                     
            ike = 0                                                                                                                                                                                                                          
        }                                                                                                                                                                                                                                    
    }                                                                                                                                                                                                                                        


  dns1=4.2.2.1                                                                                                                                                                                                                               
  dns2=4.2.2.2                                                                                                                                                                                                                               

}              
    
por Evan Carroll 05.08.2013 / 05:33

1 resposta

1

No seu ipsec.conf log você tem

rightsubnet=192.168.1.1/24

Isso deve ser

rightosourceip=192.168.1.1/24

left / rightsubnet está documentado como

left|rightsubnet = [[]][,...]

private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed to be left/32|128, signifying that the left|right end of the connection goes to the left|right participant only. The configured subnets of the peers may differ, the protocol narrows it to the greatest common subnet. Since 5.0.0 this is also done for IKEv1, but as this may lead to problems with other implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled (available since 5.0.1).

Since 5.1.0 the optional part after each subnet enclosed in square brackets specifies a protocol/port to restrict the selector for that subnet. Examples: leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] or leftsubnet=fec1::1[udp],10.0.0.0/16[/53]. Instead of omitting either value %any can be used to the same effect, e.g. leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53]

The port value can alternatively take the value %opaque for RFC 4301 OPAQUE selectors, or a numerical range in the form 1024-65535. None of the kernel backends currently supports opaque or port ranges and uses %any for policy installation instead.

Instead of specifying a subnet, %dynamic can be used to replace it with the IKE address, having the same effect as omitting left|rightsubnet completely. Using %dynamic can be used to define multiple dynamic selectors, each having a potentially different protocol/port definition.

Considerando que rightsourceip está documentado como

rightsourceip = %config | / | %poolname

The internal source IP to use in a tunnel for the remote peer. If the value is config on the responder side, the initiator must propose an address which is then echoed back. Also supported are address pools expressed as / or the use of an external IP address pool using %poolname where poolname is the name of the IP address pool used for the lookup (see virtual IP for details). Since 5.0.1 a comma-separated list of IP addresses / pools is accepted, for instance, to define pools of different address families.

    
por 05.08.2013 / 06:03