[Swan-dev] pluto replying with both v2N_INVALID_KE_PAYLOAD then v2N_NO_PROPOSAL_CHOSEN?

Paul Wouters paul at nohats.ca
Sat Jul 8 11:28:27 UTC 2017


On Fri, 7 Jul 2017, Andrew Cagney wrote:

> +parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> +received NO_PROPOSAL_CHOSEN notify error
> +establishing connection 'road-eastnet-ikev2' failed

> | sending 40 bytes for v2 notify through eth1:500 to 192.1.2.254:500 (using #0)
> |   13 87 4a 1b  56 bd 74 ad  00 00 00 00  00 00 00 00
> |   29 20 22 20  00 00 00 00  00 00 00 28  00 00 00 0a
> |   00 00 00 11  00 0e 00 00
> | #0 complete v2 state transition from STATE_UNDEFINED with
> v2N_NO_PROPOSAL_CHOSEN
> | sending a notification reply
> packet from 192.1.2.254:500: sending unencrypted notification
> v2N_NO_PROPOSAL_CHOSEN to 192.1.2.254:500

It should go through the state with STF_DROP, since it
already sent a reply with INVALID_KE. I'll see if I can find
out what's happening here.

> it seems to be related to c4c2c62a

It does, looking at the diff:

-                       return STF_FAIL;
-               }
+       if (ike2_match_ke_group_and_prop(md, accepted_oakley) ==
STF_FAIL) {
+               free_ikev2_proposal(&accepted_ike_proposal);
+               return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
         }

It went from STF_FAIL to STF_FAIL + v2N_NO_PROPOSAL_CHOSEN

Paul

> Andrew
>
> PS: the log http://testing.libreswan.org/results/v3.20-709-g8de1339-master/interop-ikev2-strongswan-11-nat-initiator/OUTPUT/east.pluto.log.bz2
> shows the behaviour; look for INVALID_KE
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>


More information about the Swan-dev mailing list