[Swan] Connection not auto started (EXPECTATION FAILED: c->host_pair != NULL)

Paul Wouters paul at nohats.ca
Sat Mar 31 10:43:55 UTC 2018


On Thu, 29 Mar 2018, Christoffer Ahlbin wrote:

> The connection is successfully established if I use `auto=add` combined with manually start it using `ipsec auto --start my-conn`. Though when attempting to use `auto=start` in the
> connection section in the the config file, it fails, and the pluto log contains the following:
> 
> pluto[25524]: "my-conn": We cannot identify ourselves with either end of this connection.  1.2.3.4 or 0.0.0.0 are not usable
> pluto[25524]: "my-conn": We cannot identify ourselves with either end of this connection.  1.2.3.4 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334
> pluto[25524]: EXPECTATION FAILED: c->host_pair != NULL (in connection_check_ddns1() at initiate.c:1125)

Can you try the 3.24 release candidate? We did fix an issue for
auto=route and auto=start options to better handle these cases:

 	* addconn: Fix auto=route and auto=start processing [Paul]

See download.libreswan.org/development/

Paul

> (NOTE: I've substituted the actual public IPs with a with dummy values in the log above, i.e. 1.2.3.4 as shown above is an actual public IPv4 address, same for the IPv6 address)
> 
> 
> Environment:
> 
> Linux Libreswan 3.23 (netkey) on 3.10.0-693.21.1.el7.x86_64
> unbound-libs-1.6.4-3.el.centos.x86_64 (from libreswan yum repo)
> CentOS 7.4 (1708)
> 
> The DNS name used for `right` has one A record and one AAAA record (thus the IPv6 address in the logs).
> 
> 
> Connection configuration:
> 
> conn my-conn
>     type=tunnel
>     authby=rsasig
>     ike=aes_gcm256-sha2_256;dh14
>     ikev2=insist
>     compress=no
>     keyingtries=%forever
>     phase2=esp
>     phase2alg=aes_gcm_c-256-null
>     pfs=yes
>     ikelifetime=1h
>     salifetime=2h
>     failureshunt=reject
>     left=%defaultroute
>     leftrsasigkey=%cert
>     leftid=%fromcert
>     leftcert="my certificate id"
>     right="ipsec0.my-domain.org"
>     rightid="@ipsec0.my-domain.org"
>     rightca=%same
>     rightrsasigkey=%cert
>     encapsulation=no
>     fragmentation=force
>     dpdaction=restart
>     dpddelay=30
>     dpdtimeout=60
>     auto=start
>     leftsubnet=192.168.0.0/24
>     leftsourceip=192.168.0.1
>     rightsubnet=192.168.101.0/24
> 
> 
> Any hints on what might be causing this issue / difference in behaviour in the two start scenarios are much appreciated. 
> 
> 
> Thanks
> 
> Christoffer
> 
> 
>


More information about the Swan mailing list