[Swan-dev] CentOS libreswan vs Fedora libreswan
D. Hugh Redelmeier
hugh at mimosa.com
Sun Jun 30 16:10:27 UTC 2019
I'm trying to build a tunnel between a Fedora and a CentOS system, both
running libreswan-3.29-1 packages.
I don't specify any cryptosuites -- I just let them default.
Much to my surprise, the CentOS Responder refuses the Fedora Initiator's
negotiation:
initiator guessed wrong keying material group (ECP_256); responding with INVALID_KE_PAYLOAD requesting MODP2048
responding to IKE_SA_INIT (34) message (Message ID 0) from 99.241.4.30:500 with unencrypted notification INVALID_KE_PAYLOAD
This response is fairly useless since the Initiator ought ignore
unencrypted notifications. This is surely a limitation of the protocol
standard.
It's also seems pretty dumb to not have defaulted cryptosuites be
compatable. I'm sure that there are excuses. What are they?
ipsec auto --up prints progress information, but does not report this
notification, making debugging harder than it should be.
- why would 3.29 default to something 3.29 doesn't accept?
- what is the minimal adition that I can make to the conn to allow
interop? I don't wish to specify any part of the cryptosuites but I
certainly don't want to provide a complete and detailed specification.
Editorial comment: This sure seems like the kind of problem to drive
people away from ipsec. This should be fixed!
More information about the Swan-dev
mailing list