[Swan] Problems with tunnel selection since upgrading to libreswan-3.20-3.el7.x86_64
Nathan Coulson
ncoulson-ml at ncoulson.com
Tue Sep 26 17:10:44 UTC 2017
On 2017-09-25 05:12 PM, Paul Wouters wrote:
> On Mon, 25 Sep 2017, Nathan Coulson wrote:
>
>> we upgraded from libreswan-3.15-5.el7_1.x86_64 to
>> libreswan-3.20-3.el7.x86_64, and since then have been having issues
>> with libreswan selecting the wrong tunnel.
>>
>> We use this for 2 setups, a screenos (Juniper SSGv5), and a
>> roadwarrior strongswan setup.
>
> The setup looks fine (although I personally tend to use leftid=@foo /
> rightid=@bar strings for dedicated static tunnels)
>
>> Now, we are receiving
>>
>> Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1:
>> STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128
>> integ=sha1_96 prf=sha group=MODP1024}
>> Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1:
>> EXPECTATION FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at
>> ikev2.c:1390)
>> Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: Peer
>> attempted PSK authentication but we want rsasig
>> Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1:
>> sending unencrypted notification v2N_AUTHENTICATION_FAILED to
>> 2.3.4.5:500
>> Sep 25 16:36:11 tunnel1 pluto[19585]: | ikev2_parent_inI2outR2_tail
>> returned STF_FATAL
>
> There were some refine_host() connection changes in 3.21. Is it possible
> to try that one and see if your issue is resolved? You can find rpms at:
>
> https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.21-2.el7.centos.x86_64.rpm
>
>
> If you still see this problem, could you run ipsec whack --debug-all
> and then attempt to connect, and mail me (offlist) the logs?
>
> Paul
>
Thanks Paul.
Short answer is, still not working:
Sep 26 09:45:39 tunnel1 pluto[4872]: "rwarrior"[1] 2.3.4.5 #1: Peer
mismatch on first found connection and no better connection found
I'll follow up with you on the logs.
More information about the Swan
mailing list