[Swan-dev] IPsec rekey fron Libreswan not initiated

Balaji Thoguluva tbbalaji at gmail.com
Tue Nov 24 20:50:17 UTC 2020 

Hi Folks,

I am using the below configuration with an intent to do IPsec rekey
initiated from Libreswan.

conn radcert
        ikev2=yes
        left=10.196.175.174
        leftsubnet=10.196.175.174/32
        leftprotoport=17/1812
        right=10.196.176.11
        rightsubnet=10.196.176.11/32
        rightprotoport=17/1812
        auto=ondemand
        ike=aes256-sha256;dh14
        phase2=esp
        phase2alg=aes256-sha1;modp2048
        pfs=yes
        authby=secret
        type=tunnel
        esn=no
        rekey=yes
        salifetime=300s
        ikelifetime=3600s
        dpddelay=0s
        dpdtimeout=0s
        dpdaction=hold

After the tunnel is established successfully, when it is about to rekey,
Libreswan sends INFORMATIONAL message to the peer to delete the tunnel
instead of sending CREATE_CHILD_SA request to rekey the IPsec SA's.

The pluto logs shows the following

2020-11-24T20:02:20.197308+00:00 [localhost] pluto[3151]: initiate on
demand from 10.196.176.11:1812 to 10.196.175.174:1812 proto=17 because:
acquire
2020-11-24T20:02:20.197513+00:00 [localhost] pluto[3151]: "radcert" #1:
initiating v2 parent SA
2020-11-24T20:02:20.197589+00:00 [localhost] pluto[3151]: "radcert" #1:
local IKE proposals for radcert (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
2020-11-24T20:02:20.200075+00:00 [localhost] pluto[3151]: "radcert" #1:
STATE_PARENT_I1: sent v2I1, expected v2R1
2020-11-24T20:02:20.217844+00:00 [localhost] pluto[3151]: "radcert" #1:
WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256
PRF in FIPS mode (16 bytes required)
2020-11-24T20:02:20.217937+00:00 [localhost] pluto[3151]: "radcert" #1:
local ESP/AH proposals for radcert (IKE SA initiator emitting ESP/AH
proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED
2020-11-24T20:02:20.217971+00:00 [localhost] pluto[3151]: "radcert" #2:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256
integ=sha256_128 prf=sha2_256 group=MODP2048}
2020-11-24T20:02:20.238937+00:00 [localhost] pluto[3151]: "radcert" #2:
IKEv2 mode peer ID is ID_IPV4_ADDR: '10.196.175.174'
2020-11-24T20:02:20.238972+00:00 [localhost] pluto[3151]: "radcert" #2:
WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256
PRF in FIPS mode (16 bytes required)
2020-11-24T20:02:20.239022+00:00 [localhost] pluto[3151]: "radcert" #2:
Authenticated using authby=secret
2020-11-24T20:02:20.248968+00:00 [localhost] pluto[3151]: "radcert" #2:
negotiated connection [10.196.176.11-10.196.176.11:1812-1812 17] ->
[10.196.175.174-10.196.175.174:1812-1812 17]
2020-11-24T20:02:20.248978+00:00 [localhost] pluto[3151]: "radcert" #2:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xcf9c50b2
<0x822e195c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
2020-11-24T20:02:25.233008+00:00 [localhost] sshd[3560]:
pam_authp(sshd:auth): _parse_pam_auth_rsp: parsing message
......
......
2020-11-24T20:02:25.377763+00:00 [localhost] sshd[3570]:
pam_checkuser(sshd:setcred): _check_user: check for root
2020-11-24T20:02:25.377769+00:00 [localhost] sshd[3570]:
pam_authp(sshd:setcred): pam_sm_setcred: started
2020-11-24T20:02:53.240186+00:00 [localhost] pluto[3151]: "radcert" #2:
Neither IKEv1 nor IKEv2 allowed: ENCRYPT+TUNNEL
2020-11-24T20:03:48.858151+00:00 [localhost] sshd[3605]: PAM unable to
resolve symbol: pam_sm_authenticate
2020-11-24T20:03:48.858196+00:00 [localhost] sshd[3605]: PAM unable to
resolve symbol: pam_sm_setcred
......
......
2020-11-24T20:04:04.743314+00:00 [localhost] sshd[3605]:
pam_authp(sshd:setcred): pam_sm_setcred: started
2020-11-24T20:07:20.240403+00:00 [localhost] pluto[3151]: "radcert" #2:
deleting state (STATE_V2_IPSEC_I) and sending notification
2020-11-24T20:07:20.240451+00:00 [localhost] pluto[3151]: "radcert" #2: ESP
traffic information: in=73B out=96B
2020-11-24T20:07:20.245347+00:00 [localhost] pluto[3151]: expire unused
parent SA #1 "radcert"
2020-11-24T20:07:20.245375+00:00 [localhost] pluto[3151]: "radcert" #1:
ISAKMP SA expired (LATEST!)
2020-11-24T20:07:20.245379+00:00 [localhost] pluto[3151]: "radcert" #1:
deleting state (STATE_PARENT_I3) and sending notification
2020-11-24T20:07:20.251512+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T20:07:20.251772+00:00 [localhost] pluto[3151]: packet from
10.196.175.174:500: ISAKMP_v2_INFORMATIONAL message response has no
matching IKE SA
2020-11-24T20:08:49.349189+00:00 [localhost] sshd[3680]: PAM unable to
resolve symbol: pam_sm_authenticate
.....

Am I missing anything in the configuration? Any idea why it is not working
as intended?

Thanks,
Balaji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20201124/750e0866/attachment.html>

More information about the Swan-dev mailing list