<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi Folks,</div><div><br></div><div>I am using Linux Libreswan 3.25 (netkey) on 4.14.35.</div><div><br></div><div>I have a configuration.</div><div><br></div><div>conn tacacspsk<br>        ikev2=yes<br>        left=10.196.175.174<br>        leftsubnet=<a href="http://10.196.175.174/32">10.196.175.174/32</a><br>        leftprotoport=17/1812<br>        right=10.196.176.11<br>        rightsubnet=<a href="http://10.196.176.11/32">10.196.176.11/32</a><br>        rightprotoport=17/1812<br>        auto=ondemand<br>        ike=aes256-sha256;dh14<br>        phase2=esp<br>        phase2alg=aes256-sha1;modp2048<br>        pfs=yes<br>        authby=secret<br>        type=tunnel<br>        esn=no<br>        rekey=yes<br>        salifetime=300s<br>        ikelifetime=3600s<br>        dpddelay=30s<br>        dpdtimeout=60s<br>        dpdaction=restart<br><br></div><div>The very first time, IKEv2/IPsec tunnel gets established correctly. I establish the tunnel by triggering a RADIUS packet matching the above parameters and this packet triggers the tunnel from Libreswan to the other end.</div><div><br></div><div>Now I tear down the tunnel from the other end and I verified there is no tunnel/SA's in Libreswan. Now if I again attempt to establish the same tunnel by triggering the RADIUS packet, then the tunnel attempt from Libreswan fails. No IKE packets sent out from Libreswan.</div><div><br></div><div>Please see attached the full logs of pluto.</div><div><br></div><div>I see authentication failure in the PAM module. Not sure if it is the cause of the problem.</div><div><br></div><div>2020-11-29T21:29:28.984406+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): pam_sm_authenticate: started<br>2020-11-29T21:29:28.984415+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): pam_sm_authenticate: username is [balaji]<br>2020-11-29T21:29:28.984420+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): pam_sm_authenticate: proxy path is: /tmp/authd-proxy<br>2020-11-29T21:29:28.984445+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _init_auth_data: PAM_RHOST is: <a href="http://10.196.0.95:37094">10.196.0.95:37094</a><br>2020-11-29T21:29:28.984458+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _init_auth_data: extracted remote_ip: 10.196.0.95<br>2020-11-29T21:29:28.984468+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _init_auth_data: extracted remote_port: 37094<br>2020-11-29T21:29:28.984473+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): pam_sm_authenticate: sending AUTHP_PAM_START_REQ to fd{7}<br>2020-11-29T21:29:28.984482+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _send_pam_start_req: sent message to fd{7}<br>2020-11-29T21:29:28.984780+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: parsing message<br>2020-11-29T21:29:28.984791+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: extracted status: SUCCESS<br>2020-11-29T21:29:28.984796+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: matched user: balaji<br>2020-11-29T21:29:28.984801+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: matched ip: 10.196.0.95<br>2020-11-29T21:29:28.984806+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: matched port: 37094<br>2020-11-29T21:29:28.984811+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: extracted auth-type: 2 for user: balaji<br>2020-11-29T21:29:28.984817+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: extracted login-mode: 1 for user: balaji<br>2020-11-29T21:29:28.984822+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_start_rsp: extracted jitc-mode: NONE for user: balaji<br>2020-11-29T21:29:31.375130+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _get_user_input: conversation complete<br>2020-11-29T21:29:31.375148+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _send_pam_auth_req: sent message to fd{7}<br>2020-11-29T21:29:47.387081+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: parsing message<br>2020-11-29T21:29:47.387092+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: AUTH FAILURE<br>2020-11-29T21:29:47.387095+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: matched user: balaji<br>2020-11-29T21:29:47.387098+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: matched ip: 10.196.0.95<br>2020-11-29T21:29:47.387102+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: matched port: 37094<br>2020-11-29T21:29:47.387105+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: extracted action: 2<br>2020-11-29T21:29:47.387108+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): _parse_pam_auth_rsp: extracted errcode: 0<br>2020-11-29T21:29:47.387110+00:00 [localhost] sshd[3391]: pam_authp(sshd:auth): pam_sm_authenticate: AUTHENTICATION FAILED</div><div><br></div><div>Any idea on what is going wrong?<br><br></div><div>Thanks,</div><div>Balaji</div></div></div></div>