[Swan] Can't get failureshunt & negotiationshunt to work in passthrough mode
Evan Wheeler
emwdev at gmail.com
Wed Jun 14 00:18:43 UTC 2017
I've been trying to get the "failureshunt" and "negotiationshunt" options
to work with Redhat Linux 7.3 and 7.4 Beta 1 with seemingly no success in
a host-to-host PSK configuration. To simulate a simple failure I made the
PSK values different on each host so that the IKE negotiation would fail
and added "failureshunt=passthrough" and "negotiationshunt=passthrough" to
my "conn" section.
My understanding is that the "negotiationshunt=passthrough" option would
allow traffic to pass in the clear between two hosts while the hosts are
negotiating during Phase 1, and "negotiationshunt=passthrough" would allow
packets to pass in the clear after negotiations had failed due to the
differing PSK values on each host, but a simple ping test between the hosts
shows no ICMP packets passing in either direction according to Wireshark.
All I see are ISAKMP packets. Here are the contents of my ipsec.conf file
for both hosts:
config setup
protostack=netkey
conn mytunnel
left=192.168.1.2
right=192.168.1.3
authby=secret
auto=start
failureshunt=passthrough
negotiationshunt=passthrough
keyingtries=1
retransmit-timeout=3s
Am I missing something ? Should failureshunt and negotiationshunt work in
this configuration?
Regards,
Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170613/15a9e70c/attachment.html>
More information about the Swan
mailing list