[Swan-dev] _parse_pam_auth_rsp: AUTH FAILURE

Paul Wouters paul at nohats.ca
Thu Dec 10 03:51:37 UTC 2020


On Wed, 9 Dec 2020, Balaji Thoguluva wrote:

> With the 3.32 version, we tested IPsec Rekey functionality. But we are not able to see the expected behavior of rekey. We tried establishing a tunnel
> between the 2 Libreswan. What we noticed is when one of the Libreswan sends CREATE_CHILD_SA request to the other end, the other end sends ICMP 550
> destination unreachable (Communication administratively prevented) error message.
> 
> Attached is a zip of wireshark, initiator and responder pluto logs.
> 
> Dec  9 12:14:26.800597: |   02 00 01 f4  0a c4 ff 4b  00 00 00 00  00 00 00 00
> Dec  9 12:14:26.800617: "taccert" #1: ERROR: asynchronous network error report on ens32 (10.196.253.12:500) for message to 10.196.255.75 port 500,
> complainant 10.196.255.75: No route to host [errno 113, origin ICMP type 3 code 13 (not authenticated)]
> Dec  9 12:14:26.800630: | spent 0.181 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
> 
> If you can shed some light on this, that would be great.

That's weird. Your endpoint sends an No route to host ?
That looks like something strange is happening in your network. It is
not related to libreswan, but possible to routing table or firewall
changes?

Paul


More information about the Swan-dev mailing list