[Swan-commit] Changes to ref refs/heads/main
Antony Antony
antony at vault.libreswan.fi
Fri Oct 16 14:36:20 UTC 2020
New commits:
commit f9fada7234b69d069d00d22163229bfe071ef70e
Author: Antony Antony <antony at phenome.org>
Date: Fri Oct 16 14:21:43 2020 +0200
ikev2: allow Protocol ID IKE in Notify
Cisco send Protocol ID IKE(1) in notifications in IKEv2 IKE_INIT.
Commit 14e07ddcf2f5 would not allow "1" and drop the message.
RFC7296 #section-3.10 is a bit vauge.
"If the SPI field is empty, this field MUST be sent as zero and
MUST be ignored on receipt."
In this case SPI is empty. May be Cisco should not send "1"?
For now lets allow "1".
Pluto log message
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
Protocol ID of IKEv2 Notify Payload has an unknown value: 1 (0x1)
"westnet-eastnet-ipv4-psk-ikev2" #1: malformed payload in packet
| processing: STOP state #0 (in process_md() at demux.c:275)
Wireshark disect.
Payload: Vendor ID (43) : Cisco Copyright
Next payload: Notify (41)
Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
Next payload: Notify (41)
0... .... = Critical Bit: Not Critical
.000 0000 = Reserved: 0x00
Payload length: 28
Protocol ID: IKE (1)
->>> above is what pluto refused
SPI Size: 0
Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
Notification DATA: 158a0910b35701b6831b2f3ff90993cd57b993ff
Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
Fixes: 14e07ddcf2f5 ("constants: organize Security Protocol ID name tables inline with IETF")
commit 19607eeac96c229cefb80dc0cb5f8566f1f49b60
Author: Antony Antony <antony at phenome.org>
Date: Wed Oct 14 17:36:27 2020 +0000
testing: swan-prep use addconn configsetup to detect paths
also few minor fixes
wipe_old now recursively umount inside namesapce
commit 2598174daadecbf41035a2bd6cba8e64b24d21a5
Author: Antony Antony <antony at phenome.org>
Date: Thu Oct 15 05:49:55 2020 +0000
testing: ipv6-addresspool-05-dual-stack add final.sh
commit 6336fb57a863780b59cf0eadfc418d05abcfe76b
Author: Antony Antony <antony at phenome.org>
Date: Thu Sep 24 15:36:08 2020 +0000
unbound: remove a missleading comment never supported AF_UNSPEC
The comment is mislead unsupported feature. The comment have perpatued
through several changes. There is no evidence of actual support of AF_UNSPEC.
Commit histories
Fixes: 2158b617be43 ("ttoaddr, tnatoaddr, ttosubnet can discover")
Fixes: 7868b07e1f1a ("Use bool where appropriate in unbound.c")
Fixes: 38a689528e3b ("* Had forgotten to add lib/liblibreswan/unboud.c")
commit 3bc66a806457547ed53df499cba2130bec7cfa99
Author: Antony Antony <antony at phenome.org>
Date: Wed Sep 23 15:37:47 2020 +0000
addconn: fix address selection when there is A and AAAA
when left=%defaultroute and right=dns name
the dns name has A and AAA records, IPv4 and IPv6 address.
addconn first resolve A even when hostaddrfamily=ipv6.
Now the IPv4 destination address is found addconn does not
attempt AAAA resolution. With IPv4 destination address and
hostaddrfamily=ipv6 %defaultroute resoluation will fail.
Instead of trying A/IPv4 first then AAAA/IPv6 only reolve the
name using hostaddrfamily, when using unbound_resolve() or ttoaddr()
commit f335fc5eac856206abe43b9645e0f036a96afd33
Author: Antony Antony <antony at phenome.org>
Date: Mon Oct 12 21:27:00 2020 +0000
readwriteconf: tidy up ipsec.conf file
commit 5466829d292c8c08e9c989bdb046b70b48073550
Author: Antony Antony <antony at phenome.org>
Date: Wed Oct 14 20:59:50 2020 +0000
libswan: add white space in log line
/usr/local/libexec/ipsec/plutoadjusting nssdir to /var/lib/ipsec/nss
More information about the Swan-commit
mailing list