[Swan-dev] CentOS libreswan vs Fedora libreswan
D. Hugh Redelmeier
hugh at mimosa.com
Sun Jun 30 17:08:05 UTC 2019
Still figuring this out, but I'm wrong. Libreswan does pay attention
to the unencrypted (and unauthenticated) notification.
On Sun, 30 Jun 2019, D. Hugh Redelmeier wrote:
| From: D. Hugh Redelmeier <hugh at mimosa.com>
| To: Libreswan Development List <swan-dev at lists.libreswan.org>
| Date: Sun, 30 Jun 2019 12:10:27 -0400 (EDT)
| Subject: [Swan-dev] CentOS libreswan vs Fedora libreswan
| I'm trying to build a tunnel between a Fedora and a CentOS system, both
| running libreswan-3.29-1 packages.
| I don't specify any cryptosuites -- I just let them default.
| Much to my surprise, the CentOS Responder refuses the Fedora Initiator's
| initiator guessed wrong keying material group (ECP_256); responding with INVALID_KE_PAYLOAD requesting MODP2048
| responding to IKE_SA_INIT (34) message (Message ID 0) from 220.127.116.11:500 with unencrypted notification INVALID_KE_PAYLOAD
| This response is fairly useless since the Initiator ought ignore
| unencrypted notifications. This is surely a limitation of the protocol
| It's also seems pretty dumb to not have defaulted cryptosuites be
| compatable. I'm sure that there are excuses. What are they?
| ipsec auto --up prints progress information, but does not report this
| notification, making debugging harder than it should be.
| - why would 3.29 default to something 3.29 doesn't accept?
| - what is the minimal adition that I can make to the conn to allow
| interop? I don't wish to specify any part of the cryptosuites but I
| certainly don't want to provide a complete and detailed specification.
| Editorial comment: This sure seems like the kind of problem to drive
| people away from ipsec. This should be fixed!
| Swan-dev mailing list
| Swan-dev at lists.libreswan.org
More information about the Swan-dev