[Swan-dev] What does "missing v2CP reply" mean?
Brady Johnson
bradyjoh at redhat.com
Thu Feb 15 13:37:25 EET 2024
Hello,
We are trying to create a host-to-subnet tunnel and are getting an error
message that we do not understand.
The high-level overview is as follows:
- The server is the subnet side of the host-to-subnet
- The server subnet is 172.16.110.0/24
- The server IP is 10.1.98.208
- The client is the host side of the host-to-subnet
- The client IP is 10.1.98.152
Here are the configs (Notice the client is configured with nmstate (yaml)):
Server config:
conn server01.cnf.com
# "right" is client
right=10.1.98.152
rightid=%fromcert
rightrsasigkey=%cert
# "left" is server
left=10.1.98.208
leftid=%fromcert
leftrsasigkey=%cert
leftcert=server01.cnf.com
leftsubnet=172.16.110.0/24
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
auto=start
dpddelay: 5
dpdtimeout: 30
dpdaction: clear
Client config:
interfaces:
- name: hosta_conn
type: ipsec
ipv4:
enabled: true
dhcp: true
libreswan:
# "right" is the server config
right: 10.1.98.208
rightid: '%fromcert'
rightrsasigkey: '%cert'
rightsubnet: 172.16.110.0/24
# "left" is the client config
left: 10.1.98.152
leftid: '%fromcert'
leftrsasigkey: '%cert'
leftcert: client01.cnf.com
ike: aes_gcm256-sha2_256
esp: aes_gcm256
ikev2: insist
dpddelay: 5
dpdtimeout: 30
dpdaction: clear
The version on both the client and the server are the same:
[cloud-user at saledortvm2 ipsec]$ ipsec version
Libreswan 4.12
[cloud-user at saledortvm ipsec]$ ipsec version
Libreswan 4.12
Here is the server-side log:
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": IKE SA
proposals (connection add):
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com":
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": Child SA
proposals (connection add):
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com":
1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": loaded
private key matching left certificate 'server01.cnf.com'
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": added IKEv2
connection
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: proposal
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: sent
IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256
group=MODP2048}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: processing
decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: responder
established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512'
digital signature using peer certificate 'CN=client01.cnf.com, O=CNF'
issued by CA 'CN=cnfca.cnf.com, O=CNF'
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: proposal
1:ESP=AES_GCM_C_256-ENABLED SPI=a359e685 chosen from remote proposals
1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match]
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: responder
established Child SA using #2; IPsec tunnel
[172.16.110.0-172.16.110.255:0-65535 0] -> [10.1.98.152-10.1.98.152:0-65535
0] {ESP/ESN=>0xa359e685 <0x95b3f5ee xfrm=AES_GCM_16_256-NONE DPD=active}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: ESP
traffic information: in=0B out=0B
Feb 15 06:16:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: deleting
state (STATE_V2_ESTABLISHED_IKE_SA) aged 60.000795s and NOT sending
notification
Here is the client-side log:
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": IKE SA proposals (connection add):
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278":
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": Child SA proposals (connection add):
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278":
1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": loaded private key matching left
certificate 'client01.cnf.com'
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": added IKEv2 connection
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiating IKEv2 connection
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_SA_INIT request to
10.1.98.208:500
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_AUTH request
{cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048}
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiator established IKE SA;
authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature
using peer certificate 'CN=server01.cnf.com, O=CNF' issued by CA 'CN=
cnfca.cnf.com, O=CNF'
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: missing v2CP reply, not
attempting to setup child SA
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: IKE SA established but initiator
rejected Child SA response
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: deleting larval Child SA using
IKE SA #1
Feb 15 06:15:48 saledortvm pluto[112986]: ERROR:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: netlink response for Del SA
esp.95b3f5ee at 10.1.98.208: No such process (errno 3)
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: received delete request for
IKEv2_SEC_PROTO_ESP SA(0x95b3f5ee) but corresponding state not found
What do these 2 error messages on the client mean?
#2: missing v2CP reply, not attempting to setup child SA
#1: IKE SA established but initiator rejected Child SA response
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20240215/4551190a/attachment.htm>
More information about the Swan-dev
mailing list