IPsec INVALID_SYNTAX after upgrade

bigBRAMBOR · September 16, 2019, 9:03am

Hello,
I upgraded 5 mikrotiks from version 6.44.xx to 6.45.5(6) and got the same error on all mikrotiks in LOG, got fatal error INVALID_SYNTAX, but IPSEC is working well, no problems, connections UP, everything is working. Some mikrotiks are connected to StrongSWAN on second side, some to Fortigate. Please could I ask you to see attached LOG and let me know where could be a mistake. On the first start everythig is without error, but then I have error in LOG every 30minutes - lifetime

10:46:12 ipsec → ike2 reply, exchange: INFORMATIONAL:17 xxx.xxx.xxx.xxx[4500]
10:46:12 ipsec payload seen: ENC (52 bytes)
10:46:12 ipsec processing payload: ENC
10:46:12 ipsec,debug => iv (size 0x10)
10:46:12 ipsec,debug 63e2eb30 3add09b4 31f3f769 b213e059
10:46:12 ipsec,debug decrypted
10:46:12 ipsec,debug,packet => decrypted packet (size 0x8)
10:46:12 ipsec,debug,packet 00000008 00000007
10:46:12 ipsec payload seen: NOTIFY (8 bytes)
10:46:12 ipsec respond: info
10:46:12 ipsec processing payloads: NOTIFY
10:46:12 ipsec notify: INVALID_SYNTAX
10:46:12 ipsec,error got fatal error: INVALID_SYNTAX
10:46:12 ipsec IPsec-SA killing: xxx.xxx.xxx.xxx[4500]->yyy.yyy.yyy.yyy[4500] spi=0x972f385
10:46:12 ipsec IPsec-SA killing: yyy.yyy.yyy.yyy[4500]->xxx.xxx.xxx.xxx[4500] spi=0xcb3f7794
10:46:12 ipsec,info killing ike2 SA: yyy.yyy.yyy.yyy[4500]-xxx.xxx.xxx.xxx[4500] spi:484344159662aa0f:8fc22211b5095db3

msatter · September 16, 2019, 10:07am

I have the same error when I use a lifetime that is short. I connect to a VPN provider.

McAnix · September 16, 2019, 11:56am

I am experiencing the same issue. Also using IKEv2 to a StrongSwan server.

It’s occurring every hour which is the lifetime of the IPsec profile with proposal check “obey”

Strongswan IKE lifetime is 12 hours and lifetime is 8 hours.

emils · September 16, 2019, 12:41pm

Logs on the other side should be inspected since it is the one who sends the INVALID_SYNTAX payload and it can mean anything.

bigBRAMBOR · September 16, 2019, 12:58pm

ok, there is a part of LOG file on strongswan side. How I wrote, I have errors on 5 mikrotiks after firmware upgrade to 6.45.5 ( and 6), no errors before, 2 mikrotiks are connected to strongswan, 3 to fortigate gateway, no configuration changes on strongswan and fortigate.

Sep 16 10:46:12 ares charon: 06[NET] received packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500]
Sep 16 10:46:12 ares charon: 06[NET] waiting for data on sockets
Sep 16 10:46:12 ares charon: 14[NET] received packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (576 bytes)
Sep 16 10:46:12 ares charon: 14[ENC] parsed CREATE_CHILD_SA request 16 [ SA KE No ]
Sep 16 10:46:12 ares charon: 14[IKE] yyy.yyy.yyy.yyy is initiating an IKE_SA
Sep 16 10:46:12 ares charon: 14[IKE] IKE_SA ipsec-tunel[1380] state change: CREATED => CONNECTING
Sep 16 10:46:12 ares charon: 14[CFG] selecting proposal:
Sep 16 10:46:12 ares charon: 14[CFG] proposal matches
Sep 16 10:46:12 ares charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 16 10:46:12 ares charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 16 10:46:12 ares charon: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Sep 16 10:46:12 ares charon: 14[LIB] size of DH secret exponent: 2047 bits
Sep 16 10:46:12 ares charon: 14[IKE] IKE_SA ipsec-tunel[1375] state change: ESTABLISHED => REKEYING
Sep 16 10:46:12 ares charon: 14[ENC] generating CREATE_CHILD_SA response 16 [ SA No KE ]
Sep 16 10:46:12 ares charon: 14[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (432 bytes)
Sep 16 10:46:12 ares charon: 02[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500]
Sep 16 10:46:12 ares charon: 06[NET] received packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500]
Sep 16 10:46:12 ares charon: 06[NET] waiting for data on sockets
Sep 16 10:46:12 ares charon: 05[NET] received packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (112 bytes)
Sep 16 10:46:12 ares charon: 05[ENC] DELETE verification failed
Sep 16 10:46:12 ares charon: 05[ENC] could not decrypt payloads
Sep 16 10:46:12 ares charon: 05[IKE] message verification failed
Sep 16 10:46:12 ares charon: 05[ENC] generating INFORMATIONAL response 17 [ N(INVAL_SYN) ]
Sep 16 10:46:12 ares charon: 05[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (80 bytes)
Sep 16 10:46:12 ares charon: 05[IKE] INFORMATIONAL request with message ID 17 processing failed
Sep 16 10:46:12 ares charon: 02[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500]

emils · September 16, 2019, 1:04pm

Please post your ‘/ip ipsec export hide-sensitive’ command output. Make sure you have pfs-group set to none under IPsec Proposals for this specific peer.

bigBRAMBOR · September 16, 2019, 1:22pm

I have set PFS to modp_2048, it is not working wit NONE.

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=30m name=“ipsec-profile” nat-traversal=no
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 exchange-mode=ike2 local-address=yyy.yyy.yyy.yyy name=ipsec-peer profile=“ipsec profile”
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=ipsec-prop pfs-group=modp2048
/ip ipsec identity
add peer=ipsec-peer
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.3.0/24 peer=ipsec-peer proposal=ipsec-prop sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=yyy.yyy.yyy.yyy src-address=192.168.13.0/24 tunnel=yes

eworm · September 16, 2019, 2:42pm

Same here with connections to NordVPN. My lifetime is set to 30 minutes, but error message pops up every 24 hours only.

msatter · September 16, 2019, 4:12pm

Having a lifetime of 30 minutes in ipsec proposal should be not problem. If you set Lifetime in ipsec profile to 30 minutes then you can get this error. NordVPN is offering 24 hours. Obey would enforce the 24 hours (NordVPN) but maybe RouterOS is still trying to renew. You could try strict as proposal check.

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Profiles

McAnix · September 17, 2019, 5:35am

/ip ipsec policy group
add name=VPN
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=profile_1
add dh-group=ecp256,ecp384,ecp521 dpd-interval=10s dpd-maximum-failures=4 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=7h59m name=\
    profile_2
/ip ipsec peer
add address=XXX.XXX.XXX.XXX/32 comment=VPN exchange-mode=ike2 name=VPN profile=profile_2
add local-address=11.0.0.1 name=peer2 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=15m name=VPN pfs-group=none
/ip ipsec identity
add generate-policy=port-override peer=peer2 remote-id=ignore
add auth-method=digital-signature certificate=home.pem_0 mode-config=request-only my-id=fqdn:home notrack-chain=prerouting peer=\
    VPN policy-template-group=VPN remote-certificate=server.pem_0 remote-id=ignore
/ip ipsec policy
add dst-address=0.0.0.0/0 proposal=VPN sa-dst-address=XXX.XXX.XXX.XXX sa-src-address=0.0.0.0 src-address=10.10.10.3/32 tunnel=yes

Configuration was done pre-EAP and uses implicit routing between sites.

McAnix · September 17, 2019, 5:47am

I dropped the lifetime to 5 minutes to catch the Strongswan logs during re-key where the INVALID_SYNTAX occurs.

Sep 17 05:43:41 VPN charon: 16[NET] received packet: from YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500] (144 bytes)
Sep 17 05:43:41 VPN charon: 16[ENC] parsed INFORMATIONAL request 34 [ ]
Sep 17 05:43:41 VPN charon: 16[ENC] generating INFORMATIONAL response 34 [ ]
Sep 17 05:43:41 VPN charon: 16[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (80 bytes)
Sep 17 05:43:42 VPN charon: 06[KNL] querying policy 10.10.10.2/32 === 0.0.0.0/0 in
Sep 17 05:43:42 VPN charon: 06[KNL] querying policy 10.10.10.2/32 === 0.0.0.0/0 fwd
Sep 17 05:43:42 VPN charon: 06[IKE] sending DPD request
Sep 17 05:43:42 VPN charon: 06[IKE] queueing IKE_DPD task
Sep 17 05:43:42 VPN charon: 06[IKE] activating new tasks
Sep 17 05:43:42 VPN charon: 06[IKE]   activating IKE_DPD task
Sep 17 05:43:42 VPN charon: 06[ENC] generating INFORMATIONAL request 83 [ ]
Sep 17 05:43:42 VPN charon: 06[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to ZZZ.ZZZ.ZZZ.ZZZ[4500] (80 bytes)
Sep 17 05:43:42 VPN charon: 08[NET] received packet: from ZZZ.ZZZ.ZZZ.ZZZ[4500] to XXX.XXX.XXX.XXX[4500] (96 bytes)
Sep 17 05:43:42 VPN charon: 08[ENC] parsed INFORMATIONAL request 572 [ ]
Sep 17 05:43:42 VPN charon: 08[ENC] generating INFORMATIONAL response 572 [ ]
Sep 17 05:43:42 VPN charon: 08[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to ZZZ.ZZZ.ZZZ.ZZZ[4500] (80 bytes)
Sep 17 05:43:42 VPN charon: 15[NET] received packet: from ZZZ.ZZZ.ZZZ.ZZZ[4500] to XXX.XXX.XXX.XXX[4500] (96 bytes)
Sep 17 05:43:42 VPN charon: 15[ENC] parsed INFORMATIONAL response 83 [ ]
Sep 17 05:43:42 VPN charon: 15[IKE] activating new tasks
Sep 17 05:43:42 VPN charon: 15[IKE] nothing to initiate
Sep 17 05:43:42 VPN charon: 14[KNL] querying policy 10.10.10.3/32 === 0.0.0.0/0 in
Sep 17 05:43:42 VPN charon: 14[KNL] querying policy 10.10.10.3/32 === 0.0.0.0/0 fwd
Sep 17 05:43:43 VPN charon: 09[NET] received packet: from YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500] (320 bytes)
Sep 17 05:43:43 VPN charon: 09[ENC] parsed CREATE_CHILD_SA request 35 [ SA KE No ]
Sep 17 05:43:43 VPN charon: 09[IKE] YYY.YYY.YYY.YYY is initiating an IKE_SA
Sep 17 05:43:43 VPN charon: 09[IKE] IKE_SA ikve2-vpn-cert-home-ipv4[468] state change: CREATED => CONNECTING
Sep 17 05:43:43 VPN charon: 09[CFG] selecting proposal:
Sep 17 05:43:43 VPN charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Sep 17 05:43:43 VPN charon: 09[CFG] selecting proposal:
Sep 17 05:43:43 VPN charon: 09[CFG]   proposal matches
Sep 17 05:43:43 VPN charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Sep 17 05:43:43 VPN charon: 09[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Sep 17 05:43:43 VPN charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Sep 17 05:43:43 VPN charon: 09[IKE] IKE_SA ikve2-vpn-cert-home-ipv4[468] state change: CONNECTING => ESTABLISHED
Sep 17 05:43:43 VPN charon: 09[IKE] scheduling rekeying in 42165s
Sep 17 05:43:43 VPN charon: 09[IKE] maximum IKE_SA lifetime 42705s
Sep 17 05:43:43 VPN charon: 09[IKE] IKE_SA ikve2-vpn-cert-home-ipv4[468] rekeyed between XXX.XXX.XXX.XXX[CN=server]...YYY.YYY.YYY.YYY[home]
Sep 17 05:43:43 VPN charon: 09[IKE] IKE_SA ikve2-vpn-cert-home-ipv4[467] state change: ESTABLISHED => REKEYED
Sep 17 05:43:43 VPN charon: 09[ENC] generating CREATE_CHILD_SA response 35 [ SA No KE ]
Sep 17 05:43:43 VPN charon: 09[NET] sending packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500] (272 bytes)

emils · September 18, 2019, 5:35am

The issue that OP reported will be fixed in the next beta. It was introduced by the phase 1 rekeying support for IKEv2 in 6.45.

As far as I know, proposal-check will only work for IKEv1. IKEv2 both sides act independently and will rekey and reauthenticate based on their own configured values.

Currently as a workaround, you can try setting the lifetime value under IPsec Profile to zero (0) to disable rekeying.

McAnix · September 22, 2019, 10:09am

Thanks, support!