[Swan] Connection not auto started (EXPECTATION FAILED: c->host_pair != NULL)

Christoffer Ahlbin christoffer.ahlbin at gmail.com
Thu Mar 29 23:43:35 UTC 2018 

The connection is successfully established if I use `auto=add` combined
with manually start it using `ipsec auto --start my-conn`. Though when
attempting to use `auto=start` in the connection section in the the config
file, it fails, and the pluto log contains the following:

pluto[25524]: "my-conn": We cannot identify ourselves with either end of
this connection.  1.2.3.4 or 0.0.0.0 are not usable
pluto[25524]: "my-conn": We cannot identify ourselves with either end of
this connection.  1.2.3.4 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334
pluto[25524]: EXPECTATION FAILED: c->host_pair != NULL (in
connection_check_ddns1() at initiate.c:1125)

(NOTE: I've substituted the actual public IPs with a with dummy values in
the log above, i.e. 1.2.3.4 as shown above is an actual public IPv4
address, same for the IPv6 address)


Environment:

Linux Libreswan 3.23 (netkey) on 3.10.0-693.21.1.el7.x86_64
unbound-libs-1.6.4-3.el.centos.x86_64 (from libreswan yum repo)
CentOS 7.4 (1708)

The DNS name used for `right` has one A record and one AAAA record (thus
the IPv6 address in the logs).


Connection configuration:

conn my-conn
    type=tunnel
    authby=rsasig
    ike=aes_gcm256-sha2_256;dh14
    ikev2=insist
    compress=no
    keyingtries=%forever
    phase2=esp
    phase2alg=aes_gcm_c-256-null
    pfs=yes
    ikelifetime=1h
    salifetime=2h
    failureshunt=reject
    left=%defaultroute
    leftrsasigkey=%cert
    leftid=%fromcert
    leftcert="my certificate id"
    right="ipsec0.my-domain.org"
    rightid="@ipsec0.my-domain.org"
    rightca=%same
    rightrsasigkey=%cert
    encapsulation=no
    fragmentation=force
    dpdaction=restart
    dpddelay=30
    dpdtimeout=60
    auto=start
    leftsubnet=192.168.0.0/24
    leftsourceip=192.168.0.1
    rightsubnet=192.168.101.0/24


Any hints on what might be causing this issue / difference in behaviour in
the two start scenarios are much appreciated.


Thanks

Christoffer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180329/71db0ded/attachment-0001.html>

More information about the Swan mailing list