<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi Folks,</div><div><br></div><div>I am using the below configuration with an intent to do IPsec rekey initiated from Libreswan.</div><div><br></div><div>conn radcert<br>        ikev2=yes<br>        left=10.196.175.174<br>        leftsubnet=<a href="http://10.196.175.174/32">10.196.175.174/32</a><br>        leftprotoport=17/1812<br>        right=10.196.176.11<br>        rightsubnet=<a href="http://10.196.176.11/32">10.196.176.11/32</a><br>        rightprotoport=17/1812<br>        auto=ondemand<br>        ike=aes256-sha256;dh14<br>        phase2=esp<br>        phase2alg=aes256-sha1;modp2048<br>        pfs=yes<br>        authby=secret<br>        type=tunnel<br>        esn=no<br>        rekey=yes<br>        salifetime=300s<br>        ikelifetime=3600s<br>        dpddelay=0s<br>        dpdtimeout=0s<br>        dpdaction=hold<br><br></div><div>After the tunnel is established successfully, when it is about to rekey, Libreswan sends INFORMATIONAL message to the peer to delete the tunnel instead of sending CREATE_CHILD_SA request to rekey the IPsec SA's.</div><div><br></div><div>The pluto logs shows the following</div><div><br></div><div>2020-11-24T20:02:20.197308+00:00 [localhost] pluto[3151]: initiate on demand from <a href="http://10.196.176.11:1812">10.196.176.11:1812</a> to <a href="http://10.196.175.174:1812">10.196.175.174:1812</a> proto=17 because: acquire<br>2020-11-24T20:02:20.197513+00:00 [localhost] pluto[3151]: "radcert" #1: initiating v2 parent SA<br>2020-11-24T20:02:20.197589+00:00 [localhost] pluto[3151]: "radcert" #1: local IKE proposals for radcert (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048<br>2020-11-24T20:02:20.200075+00:00 [localhost] pluto[3151]: "radcert" #1: STATE_PARENT_I1: sent v2I1, expected v2R1<br>2020-11-24T20:02:20.217844+00:00 [localhost] pluto[3151]: "radcert" #1: WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)<br>2020-11-24T20:02:20.217937+00:00 [localhost] pluto[3151]: "radcert" #1: local ESP/AH proposals for radcert (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;DH=NONE;ESN=DISABLED<br>2020-11-24T20:02:20.217971+00:00 [localhost] pluto[3151]: "radcert" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha256_128 prf=sha2_256 group=MODP2048}<br>2020-11-24T20:02:20.238937+00:00 [localhost] pluto[3151]: "radcert" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '10.196.175.174'<br>2020-11-24T20:02:20.238972+00:00 [localhost] pluto[3151]: "radcert" #2: WARNING: connection radcert PSK length of 6 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)<br>2020-11-24T20:02:20.239022+00:00 [localhost] pluto[3151]: "radcert" #2: Authenticated using authby=secret<br>2020-11-24T20:02:20.248968+00:00 [localhost] pluto[3151]: "radcert" #2: negotiated connection [10.196.176.11-10.196.176.11:1812-1812 17] -> [10.196.175.174-10.196.175.174:1812-1812 17]<br>2020-11-24T20:02:20.248978+00:00 [localhost] pluto[3151]: "radcert" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xcf9c50b2 <0x822e195c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}<br>2020-11-24T20:02:25.233008+00:00 [localhost] sshd[3560]: pam_authp(sshd:auth): _parse_pam_auth_rsp: parsing message<br>......</div><div>......</div><div>2020-11-24T20:02:25.377763+00:00 [localhost] sshd[3570]: pam_checkuser(sshd:setcred): _check_user: check for root<br>2020-11-24T20:02:25.377769+00:00 [localhost] sshd[3570]: pam_authp(sshd:setcred): pam_sm_setcred: started<br>2020-11-24T20:02:53.240186+00:00 [localhost] pluto[3151]: "radcert" #2: Neither IKEv1 nor IKEv2 allowed: ENCRYPT+TUNNEL<br>2020-11-24T20:03:48.858151+00:00 [localhost] sshd[3605]: PAM unable to resolve symbol: pam_sm_authenticate<br>2020-11-24T20:03:48.858196+00:00 [localhost] sshd[3605]: PAM unable to resolve symbol: pam_sm_setcred<br>......</div><div>......</div><div>2020-11-24T20:04:04.743314+00:00 [localhost] sshd[3605]: pam_authp(sshd:setcred): pam_sm_setcred: started<br>2020-11-24T20:07:20.240403+00:00 [localhost] pluto[3151]: "radcert" #2: deleting state (STATE_V2_IPSEC_I) and sending notification<br>2020-11-24T20:07:20.240451+00:00 [localhost] pluto[3151]: "radcert" #2: ESP traffic information: in=73B out=96B<br>2020-11-24T20:07:20.245347+00:00 [localhost] pluto[3151]: expire unused parent SA #1 "radcert"<br>2020-11-24T20:07:20.245375+00:00 [localhost] pluto[3151]: "radcert" #1: ISAKMP SA expired (LATEST!)<br>2020-11-24T20:07:20.245379+00:00 [localhost] pluto[3151]: "radcert" #1: deleting state (STATE_PARENT_I3) and sending notification<br>2020-11-24T20:07:20.251512+00:00 [localhost] pluto[3151]: packet from <a href="http://10.196.175.174:500">10.196.175.174:500</a>: ISAKMP_v2_INFORMATIONAL message response has no matching IKE SA<br>2020-11-24T20:07:20.251772+00:00 [localhost] pluto[3151]: packet from <a href="http://10.196.175.174:500">10.196.175.174:500</a>: ISAKMP_v2_INFORMATIONAL message response has no matching IKE SA<br>2020-11-24T20:08:49.349189+00:00 [localhost] sshd[3680]: PAM unable to resolve symbol: pam_sm_authenticate<br>.....</div><div><br></div><div>Am I missing anything in the configuration? Any idea why it is not working as intended?</div><div><br></div><div>Thanks,</div><div>Balaji</div><div><br></div><div><br></div></div></div></div></div></div>