[Swan-commit] Changes to ref refs/heads/main

Antony Antony antony at vault.libreswan.fi
Fri Oct 16 14:36:20 UTC 2020

New commits:
commit f9fada7234b69d069d00d22163229bfe071ef70e
Author: Antony Antony <antony at phenome.org>
Date:   Fri Oct 16 14:21:43 2020 +0200

    ikev2: allow Protocol ID IKE in Notify
    Cisco send Protocol ID IKE(1) in notifications in IKEv2 IKE_INIT.
    Commit 14e07ddcf2f5 would not allow "1" and drop the message.
    RFC7296 #section-3.10 is a bit vauge.
    "If the SPI field is empty, this field MUST be sent as zero and
     MUST be ignored on receipt."
    In this case SPI is empty. May be Cisco should not send "1"?
    For now lets allow "1".
    Pluto log message
    | ***parse IKEv2 Vendor ID Payload:
    |    next payload type: ISAKMP_NEXT_v2N (0x29)
    | Now let's proceed with payload (ISAKMP_NEXT_v2N)
    Protocol ID of IKEv2 Notify Payload has an unknown value: 1 (0x1)
    "westnet-eastnet-ipv4-psk-ikev2" #1: malformed payload in packet
    | processing: STOP state #0 (in process_md() at demux.c:275)
    Wireshark disect.
       Payload: Vendor ID (43) : Cisco Copyright
            Next payload: Notify (41)
        Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
            Next payload: Notify (41)
            0... .... = Critical Bit: Not Critical
            .000 0000 = Reserved: 0x00
            Payload length: 28
            Protocol ID: IKE (1)
    ->>> above is what pluto refused
            SPI Size: 0
            Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
            Notification DATA: 158a0910b35701b6831b2f3ff90993cd57b993ff
        Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
    Fixes: 14e07ddcf2f5 ("constants: organize Security Protocol ID name tables inline with IETF")

commit 19607eeac96c229cefb80dc0cb5f8566f1f49b60
Author: Antony Antony <antony at phenome.org>
Date:   Wed Oct 14 17:36:27 2020 +0000

    testing: swan-prep use addconn configsetup to detect paths
    also few minor fixes
    wipe_old now recursively umount inside namesapce

commit 2598174daadecbf41035a2bd6cba8e64b24d21a5
Author: Antony Antony <antony at phenome.org>
Date:   Thu Oct 15 05:49:55 2020 +0000

    testing: ipv6-addresspool-05-dual-stack add final.sh

commit 6336fb57a863780b59cf0eadfc418d05abcfe76b
Author: Antony Antony <antony at phenome.org>
Date:   Thu Sep 24 15:36:08 2020 +0000

    unbound: remove a missleading comment never supported AF_UNSPEC
    The comment is mislead unsupported feature. The comment have perpatued
    through several changes.  There is no evidence of actual support of AF_UNSPEC.
    Commit histories
    Fixes: 2158b617be43 ("ttoaddr, tnatoaddr, ttosubnet can discover")
    Fixes: 7868b07e1f1a ("Use bool where appropriate in unbound.c")
    Fixes: 38a689528e3b ("* Had forgotten to add lib/liblibreswan/unboud.c")

commit 3bc66a806457547ed53df499cba2130bec7cfa99
Author: Antony Antony <antony at phenome.org>
Date:   Wed Sep 23 15:37:47 2020 +0000

    addconn: fix address selection when there is A and AAAA
    when left=%defaultroute and right=dns name
    the dns name has A and AAA records, IPv4 and IPv6 address.
    addconn first resolve A even when hostaddrfamily=ipv6.
    Now the IPv4 destination address is found addconn does not
    attempt AAAA resolution. With IPv4 destination address  and
    hostaddrfamily=ipv6 %defaultroute resoluation will fail.
    Instead of trying A/IPv4 first then AAAA/IPv6 only reolve the
    name using hostaddrfamily, when using unbound_resolve() or ttoaddr()

commit f335fc5eac856206abe43b9645e0f036a96afd33
Author: Antony Antony <antony at phenome.org>
Date:   Mon Oct 12 21:27:00 2020 +0000

    readwriteconf: tidy up ipsec.conf file

commit 5466829d292c8c08e9c989bdb046b70b48073550
Author: Antony Antony <antony at phenome.org>
Date:   Wed Oct 14 20:59:50 2020 +0000

    libswan: add white space in log line
    /usr/local/libexec/ipsec/plutoadjusting nssdir to /var/lib/ipsec/nss

More information about the Swan-commit mailing list