[Swan-dev] IPsec rekey fron Libreswan not initiated
Balaji Thoguluva
tbbalaji at gmail.com
Tue Nov 24 20:50:17 UTC 2020
Hi Folks,
I am using the below configuration with an intent to do IPsec rekey
initiated from Libreswan.
conn radcert
ikev2=yes
left=10.196.175.174
leftsubnet=10.196.175.174/32
leftprotoport=17/1812
right=10.196.176.11
rightsubnet=10.196.176.11/32
rightprotoport=17/1812
auto=ondemand
ike=aes256-sha256;dh14
phase2=esp
phase2alg=aes256-sha1;modp2048
pfs=yes
authby=secret
type=tunnel
esn=no
rekey=yes
salifetime=300s
ikelifetime=3600s
dpddelay=0s
dpdtimeout=0s
dpdaction=hold
After the tunnel is established successfully, when it is about to rekey,
Libreswan sends INFORMATIONAL message to the peer to delete the tunnel
instead of sending CREATE_CHILD_SA request to rekey the IPsec SA's.
The pluto logs shows the following
2020-11-24T20:02:20.197308+00:00 [localhost] pluto[3151]: initiate on
demand from 10.196.176.11:1812 to 10.196.175.174:1812 proto=17 because:
acquire
2020-11-24T20:02:20.197513+00:00 [localhost] pluto[3151]: "radcert" #1:
initiating v2 parent SA
2020-11-24T20:02:20.197589+00:00 [localhost] pluto[3151]: "radcert" #1:
local IKE proposals for radcert (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
2020-11-24T20:02:20.200075+00:00 [localhost] pluto[3151]: "radcert" #1:
STATE_PARENT_I1: sent v2I1, expected v2R1
2020-11-24T20:02:20.217844+00:00 [localhost] pluto[3151]: "radcert" #1:
WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256
PRF in FIPS mode (16 bytes required)
2020-11-24T20:02:20.217937+00:00 [localhost] pluto[3151]: "radcert" #1:
local ESP/AH proposals for radcert (IKE SA initiator emitting ESP/AH
proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
2020-11-24T20:02:20.217971+00:00 [localhost] pluto[3151]: "radcert" #2:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256
integ=sha256_128 prf=sha2_256 group=MODP2048}
2020-11-24T20:02:20.238937+00:00 [localhost] pluto[3151]: "radcert" #2:
IKEv2 mode peer ID is ID_IPV4_ADDR: '10.196.175.174'
2020-11-24T20:02:20.238972+00:00 [localhost] pluto[3151]: "radcert" #2:
WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256
PRF in FIPS mode (16 bytes required)
2020-11-24T20:02:20.239022+00:00 [localhost] pluto[3151]: "radcert" #2:
Authenticated using authby=secret
2020-11-24T20:02:20.248968+00:00 [localhost] pluto[3151]: "radcert" #2:
negotiated connection [10.196.176.11-10.196.176.11:1812-1812 17] ->
[10.196.175.174-10.196.175.174:1812-1812 17]
2020-11-24T20:02:20.248978+00:00 [localhost] pluto[3151]: "radcert" #2:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xcf9c50b2
<0x822e195c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
2020-11-24T20:02:25.233008+00:00 [localhost] sshd[3560]:
pam_authp(sshd:auth): _parse_pam_auth_rsp: parsing message
......
......
2020-11-24T20:02:25.377763+00:00 [localhost] sshd[3570]:
pam_checkuser(sshd:setcred): _check_user: check for root
2020-11-24T20:02:25.377769+00:00 [localhost] sshd[3570]:
pam_authp(sshd:setcred): pam_sm_setcred: started
2020-11-24T20:02:53.240186+00:00 [localhost] pluto[3151]: "radcert" #2:
Neither IKEv1 nor IKEv2 allowed: ENCRYPT+TUNNEL
2020-11-24T20:03:48.858151+00:00 [localhost] sshd[3605]: PAM unable to
resolve symbol: pam_sm_authenticate
2020-11-24T20:03:48.858196+00:00 [localhost] sshd[3605]: PAM unable to
resolve symbol: pam_sm_setcred
......
......
2020-11-24T20:04:04.743314+00:00 [localhost] sshd[3605]:
pam_authp(sshd:setcred): pam_sm_setcred: started
2020-11-24T20:07:20.240403+00:00 [localhost] pluto[3151]: "radcert" #2:
deleting state (STATE_V2_IPSEC_I) and sending notification
2020-11-24T20:07:20.240451+00:00 [localhost] pluto[3151]: "radcert" #2: ESP
traffic information: in=73B out=96B
2020-11-24T20:07:20.245347+00:00 [localhost] pluto[3151]: expire unused
parent SA #1 "radcert"
2020-11-24T20:07:20.245375+00:00 [localhost] pluto[3151]: "radcert" #1:
ISAKMP SA expired (LATEST!)
2020-11-24T20:07:20.245379+00:00 [localhost] pluto[3151]: "radcert" #1:
deleting state (STATE_PARENT_I3) and sending notification
2020-11-24T20:07:20.251512+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T20:07:20.251772+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T20:08:49.349189+00:00 [localhost] sshd[3680]: PAM unable to
resolve symbol: pam_sm_authenticate
.....
Am I missing anything in the configuration? Any idea why it is not working
as intended?
Thanks,
Balaji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20201124/750e0866/attachment.html>
More information about the Swan-dev
mailing list