[Swan-dev] 5.0 RC1 connection not found

Bill Atwood williamatwood41 at gmail.com
Sat Jan 13 22:18:33 EET 2024 

I have two hosts: Ritchie and Tarjan.  Tarjan is running Libreswan 4.12, 
so that I can test "mixed" environments.

For Ritchie, I have downloaded 5.0 RC1, installed all of the 
dependencies, and built the software.  I have created and installed the 
necessary certificates.  I have assigned the necessary addresses (IPv6 
ULA) to the interfaces.

Tarjan                      Ritchie
ens7                        enp4s0
fd51:20d9:5ad2:b::1 <-----> fd51:20d9:5ad2:b::2
Libreswan 4.12              Libreswan 5.0 RC1

The certificates are in place:

dev at Ritchie:~$ sudo certutil -L -d /var/lib/ipsec/nss

Certificate Nickname                                         Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

RIcert                                                       u,u,u
HSPLCA                                                       CT,,


Then, I start ipsec, and attempt to add the connection (using the new 
syntax in 5.0 RC1):

dev at Ritchie:~$ sudo ipsec setup start
[sudo] password for dev:
Redirecting to: systemctl start ipsec.service
dev at Ritchie:~$ sudo ipsec add RITA6c
conn 'RITA6c': not found (tried aliases)

Here are the contents of file RITA6C, and the listing of the IPv6 
addresses on Ritchie:

root at Ritchie:/etc/ipsec.d# cat RITA6C
conn RITA6c
    left=fd51:20d9:5ad2:b::2
    leftid="CN=Ritchie Certificate"
    leftrsasigkey=%cert
    leftcert=RIcert
    right=fd51:20d9:5ad2:b::1
    rightid="CN=Tarjan Certificate"
    rightrsasigkey=%cert
    auto=add

root at Ritchie:/etc/ipsec.d# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fd51:20d9:5ad2:b::2/64 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::21a:a0ff:fe15:62b8/64 scope link
        valid_lft forever preferred_lft forever
3: enp5s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fe80::20e:cff:fea9:b90f/64 scope link
        valid_lft forever preferred_lft forever
4: enp5s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
     inet6 fe80::20e:cff:fea9:b937/64 scope link
        valid_lft forever preferred_lft forever
root at Ritchie:/etc/ipsec.d#

Does anyone have suggestions for finding the source of this error?  I 
don't see any debugging options on the ipsec command.

Any help will be appreciated.

   Bill

P.S. The above configuration works between two hosts running 4.12. (with 
"auto --add" rather than "add").

More information about the Swan-dev mailing list