[Swan-dev] What does "missing v2CP reply" mean?

Brady Johnson bradyjoh at redhat.com
Thu Feb 15 13:37:25 EET 2024 

Hello,

We are trying to create a host-to-subnet tunnel and are getting an error
message that we do not understand.

The high-level overview is as follows:

- The server is the subnet side of the host-to-subnet
- The server subnet is 172.16.110.0/24
- The server IP is 10.1.98.208

- The client is the host side of the host-to-subnet
- The client IP is 10.1.98.152


Here are the configs (Notice the client is configured with nmstate (yaml)):

Server config:

conn server01.cnf.com
    # "right" is client
    right=10.1.98.152
    rightid=%fromcert
    rightrsasigkey=%cert

    # "left" is server
    left=10.1.98.208
    leftid=%fromcert
    leftrsasigkey=%cert
    leftcert=server01.cnf.com
    leftsubnet=172.16.110.0/24

    ike=aes_gcm256-sha2_256
    esp=aes_gcm256
    ikev2=insist
    auto=start

    dpddelay: 5
    dpdtimeout: 30
    dpdaction: clear


Client config:

interfaces:
- name: hosta_conn
  type: ipsec
  ipv4:
    enabled: true
    dhcp: true
  libreswan:
    # "right" is the server config
    right: 10.1.98.208
    rightid: '%fromcert'
    rightrsasigkey: '%cert'
    rightsubnet: 172.16.110.0/24
    # "left" is the client config
    left: 10.1.98.152
    leftid: '%fromcert'
    leftrsasigkey: '%cert'
    leftcert: client01.cnf.com
    ike: aes_gcm256-sha2_256
    esp: aes_gcm256
    ikev2: insist

    dpddelay: 5
    dpdtimeout: 30
    dpdaction: clear


The version on both the client and the server are the same:

[cloud-user at saledortvm2 ipsec]$ ipsec version
Libreswan 4.12

[cloud-user at saledortvm ipsec]$ ipsec version
Libreswan 4.12


Here is the server-side log:

Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": IKE SA
proposals (connection add):
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com":
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": Child SA
proposals (connection add):
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com":
1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": loaded
private key matching left certificate 'server01.cnf.com'
Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": added IKEv2
connection
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: proposal
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: sent
IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256
group=MODP2048}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: processing
decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: responder
established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512'
digital signature using peer certificate 'CN=client01.cnf.com, O=CNF'
issued by CA 'CN=cnfca.cnf.com, O=CNF'
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: proposal
1:ESP=AES_GCM_C_256-ENABLED SPI=a359e685 chosen from remote proposals
1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match]
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: responder
established Child SA using #2; IPsec tunnel
[172.16.110.0-172.16.110.255:0-65535 0] -> [10.1.98.152-10.1.98.152:0-65535
0] {ESP/ESN=>0xa359e685 <0x95b3f5ee xfrm=AES_GCM_16_256-NONE DPD=active}
Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: ESP
traffic information: in=0B out=0B
Feb 15 06:16:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: deleting
state (STATE_V2_ESTABLISHED_IKE_SA) aged 60.000795s and NOT sending
notification


Here is the client-side log:

Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": IKE SA proposals (connection add):
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278":
1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": Child SA proposals (connection add):
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278":
1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": loaded private key matching left
certificate 'client01.cnf.com'
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278": added IKEv2 connection
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiating IKEv2 connection
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_SA_INIT request to
10.1.98.208:500
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_AUTH request
{cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048}
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiator established IKE SA;
authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature
using peer certificate 'CN=server01.cnf.com, O=CNF' issued by CA 'CN=
cnfca.cnf.com, O=CNF'
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: missing v2CP reply, not
attempting to setup child SA
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: IKE SA established but initiator
rejected Child SA response
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: deleting larval Child SA using
IKE SA #1
Feb 15 06:15:48 saledortvm pluto[112986]: ERROR:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: netlink response for Del SA
esp.95b3f5ee at 10.1.98.208: No such process (errno 3)
Feb 15 06:15:48 saledortvm pluto[112986]:
"da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: received delete request for
IKEv2_SEC_PROTO_ESP SA(0x95b3f5ee) but corresponding state not found


What do these 2 error messages on the client mean?

#2: missing v2CP reply, not attempting to setup child SA
#1: IKE SA established but initiator rejected Child SA response

Regards,

*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20240215/4551190a/attachment.htm>

More information about the Swan-dev mailing list