[Swan] Cisco IOS IPv6 Transport with IKEv2 to Libreswan
Reuben Farrelly
reuben-libreswan at reub.net
Tue Jun 5 13:30:03 UTC 2018
Hi,
I've got a working Cisco IOS 4G router acting as an IPv4 client with
IKEv2 to Libreswan 3.22 (actually tracking -git at the moment) and I've
been experimenting - so far unsuccessfully - to move the underlying
transport over from IPv4 to IPv6. This is on a Gentoo Linux VM head end.
I want to move the transport across from IPv4 to IPv6 because my
carriage provider only provides me with an IPv4 NATted address, which
appears to have NAT timeouts that frequently cause tear downs of the
IPSec sessions. They do however provision native IPv6 as well which has
no NAT, and the client router has a valid dynamic IPv6 subnet. The head
end with Libreswan has a static IPv6 address.
I only need to transport IPv4 across the IPv6 IPSec tunnel, but bonus
marks all around if I can optionally have an IPv4 and IPv6 address on
the VTI at the same time.
I had thought this might be a fairly straightforward change to make,
because the underlying IKEv2/IPSec over VTI is already there and already
works. But it seems it isn't quite as easy as I had imagined.
Here's my working config:
conn router-2.reub.net
left=139.162.51.249
leftid=@lightning.reub.net
leftsubnet=0.0.0.0/0
right=%any
rightid=router-2 at reub.net
rightsubnet=0.0.0.0/0
authby=secret
ikev2=insist
ikelifetime=86400s
salifetime=3600s
ike=aes256-sha1;modp1536
#phase2alg=aes128-sha1;modp1536
dpddelay=15
dpdtimeout=45
dpdaction=clear
auto=add
mark=12/0xffffff
vti-interface=vti-1
leftvti=192.168.6.1/30
vti-routing=no
On the Cisco side:
interface Tunnel1
description Libreswan site-to-site IKEv2 VPN
bandwidth 256
ip address 192.168.6.2 255.255.255.252
ip mtu 1294
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1378
tunnel source Cellular0
tunnel mode ipsec ipv6 v4-overlay
tunnel destination 2400:8901::F03C:91FF:FE6E:9DC
tunnel path-mtu-discovery
tunnel protection ipsec profile reub-ipsec-profile
service-policy output outbound-tunnel-qos
end
The only changes from the working IPv4 config are the tunnel mode and
tunnel destination IP addresses.
Problems I have run into and would appreciate any advice are as follows...
1. The libreswan conn section for each peer requires a left= statement.
This works as either an IPv4 address, or an IPv6 address, but only one
can be defined. And %any doesn't work either (trying this results in an
error "connection router-2.reub.net must specify host IP address for our
side")
This is a major obstacle if I have both IPv4 only and IPv6 preferred
clients connecting in, especially if I am migrating between the two
transports as I am here, because it appears I have to use one or the
other, but cannot support both address families at once.
2. If I change the left= side to be the IPv6 address, then it starts but
I get a proposal error:
Jun 5 20:54:16.161950: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: initial parent SA message
received on 2400:8901::f03c:91ff:fe6e:9dc:500 but no suitable connection
found with IKEv2 policy
Jun 5 20:54:16.162013: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: responding to SA_INIT
message (ID 0) from 2001:8004:1400:20c9:1863:feff:fea4:d208:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
with debugging enabled:
Jun 5 20:59:41.669231: | kernel_process_msg_cb process netlink message
Jun 5 20:59:41.669311: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 5 20:59:41.669323: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 5 20:59:42.081301: | *received 550 bytes from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 on eth0 (port=500)
Jun 5 20:59:42.081372: | 2e 41 0a 6f c4 6a 1d 4c 00 00 00 00 00 00
00 00
Jun 5 20:59:42.081380: | 21 20 22 08 00 00 00 00 00 00 02 26 22 00
00 90
Jun 5 20:59:42.081385: | 00 00 00 8c 01 01 00 0f 03 00 00 0c 01 00
00 0c
Jun 5 20:59:42.081389: | 80 0e 01 00 03 00 00 0c 01 00 00 0c 80 0e
00 c0
Jun 5 20:59:42.081393: | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00
00 08
Jun 5 20:59:42.081398: | 02 00 00 07 03 00 00 08 02 00 00 06 03 00
00 08
Jun 5 20:59:42.081402: | 02 00 00 05 03 00 00 08 02 00 00 02 03 00
00 08
Jun 5 20:59:42.081407: | 02 00 00 01 03 00 00 08 03 00 00 0e 03 00
00 08
Jun 5 20:59:42.081411: | 03 00 00 0d 03 00 00 08 03 00 00 0c 03 00
00 08
Jun 5 20:59:42.081416: | 03 00 00 02 03 00 00 08 03 00 00 01 03 00
00 08
Jun 5 20:59:42.081420: | 04 00 00 05 00 00 00 08 04 00 00 02 28 00
00 c8
Jun 5 20:59:42.081424: | 00 05 00 00 35 de 2e bf 7d 5c 41 d0 e0 d8
d9 d1
Jun 5 20:59:42.081429: | 78 ae 5e d9 a6 63 bb 94 49 29 d7 47 28 70
25 da
Jun 5 20:59:42.081433: | f0 d0 65 0f 75 b4 1c f1 c6 e3 cf 2e bd b1
30 b2
Jun 5 20:59:42.081438: | 64 11 e1 b8 4f 1c ec 93 71 6b 01 66 7b 39
3f 31
Jun 5 20:59:42.081442: | a9 8c 06 fc 1a d7 13 8e aa 5f 6d 06 82 48
57 f4
Jun 5 20:59:42.081447: | 31 67 43 5a b3 3d 59 1f 58 88 c4 56 0e 89
43 db
Jun 5 20:59:42.081451: | 8c fc 52 54 65 86 24 7b 9f 1d ed de 09 b4
ea 2d
Jun 5 20:59:42.081455: | c5 d5 71 aa a8 bb 33 69 7f 50 37 f7 d9 93
0d 73
Jun 5 20:59:42.081460: | 05 6c 98 96 03 02 8a e9 44 f7 10 7e ea e6
f2 b0
Jun 5 20:59:42.081464: | 53 a8 fc f2 24 be f4 4f ec 0d 0a d1 28 78
c6 2c
Jun 5 20:59:42.081468: | 2c 40 0f 56 3b 66 e7 3d 4c f9 48 4b 14 26
e3 da
Jun 5 20:59:42.081473: | 52 8f cf 5f a1 c8 43 d9 aa ce 2f 78 d0 10
de ee
Jun 5 20:59:42.081477: | c7 5e a3 b9 2b 00 00 24 f4 fa 3e 81 99 80
19 94
Jun 5 20:59:42.081481: | eb 1e 88 1c 1f 2d 63 9e 87 23 9f 70 8b b3
9b 7f
Jun 5 20:59:42.081485: | c9 77 91 fe d9 5e 90 01 2b 00 00 17 43 49
53 43
Jun 5 20:59:42.081489: | 4f 2d 44 45 4c 45 54 45 2d 52 45 41 53 4f
4e 2b
Jun 5 20:59:42.081494: | 00 00 13 43 49 53 43 4f 56 50 4e 2d 52 45
56 2d
Jun 5 20:59:42.081498: | 30 32 2b 00 00 17 43 49 53 43 4f 2d 44 59
4e 41
Jun 5 20:59:42.081502: | 4d 49 43 2d 52 4f 55 54 45 29 00 00 15 46
4c 45
Jun 5 20:59:42.081507: | 58 56 50 4e 2d 53 55 50 50 4f 52 54 45 44
29 00
Jun 5 20:59:42.081511: | 00 1c 00 00 40 04 8b 5a ca b3 f4 3c 71 50
12 0c
Jun 5 20:59:42.081515: | 5f 41 47 1d c3 b0 f6 38 55 db 00 00 00 1c
00 00
Jun 5 20:59:42.081520: | 40 05 cd 94 40 45 b8 9a ad 12 22 b3 72 82
1a 04
Jun 5 20:59:42.081547: | 30 0b 56 3b fc 65
Jun 5 20:59:42.081560: | processing: start from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:391)
Jun 5 20:59:42.081571: | **parse ISAKMP Message:
Jun 5 20:59:42.081584: | initiator cookie:
Jun 5 20:59:42.081589: | 2e 41 0a 6f c4 6a 1d 4c
Jun 5 20:59:42.081593: | responder cookie:
Jun 5 20:59:42.081597: | 00 00 00 00 00 00 00 00
Jun 5 20:59:42.081602: | next payload type: ISAKMP_NEXT_v2SA (0x21)
Jun 5 20:59:42.081608: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 5 20:59:42.081612: | exchange type: ISAKMP_v2_SA_INIT (0x22)
Jun 5 20:59:42.081617: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jun 5 20:59:42.081622: | message ID: 00 00 00 00
Jun 5 20:59:42.081627: | length: 550 (0x226)
Jun 5 20:59:42.081632: | processing version=2.0 packet with exchange
type=ISAKMP_v2_SA_INIT (34)
Jun 5 20:59:42.081639: | I am receiving an IKEv2 Request ISAKMP_v2_SA_INIT
Jun 5 20:59:42.081643: | I am the IKE SA Original Responder
Jun 5 20:59:42.081654: | icookie table: hash icookie 2e 41 0a 6f c4 6a
1d 4c to 2903444377556821889 slot 0x55c9d93967e0
Jun 5 20:59:42.081659: | parent_init v2 state object not found
Jun 5 20:59:42.081665: | #null state always idle
Jun 5 20:59:42.081671: | #0 in state PARENT_R0: processing SA_INIT request
Jun 5 20:59:42.081678: | Unpacking clear payload for svm: Respond to
IKE_SA_INIT
Jun 5 20:59:42.081683: | Now let's proceed with payload (ISAKMP_NEXT_v2SA)
Jun 5 20:59:42.081688: | ***parse IKEv2 Security Association Payload:
Jun 5 20:59:42.081693: | next payload type: ISAKMP_NEXT_v2KE (0x22)
Jun 5 20:59:42.081697: | flags: none (0x0)
Jun 5 20:59:42.081702: | length: 144 (0x90)
Jun 5 20:59:42.081706: | processing payload: ISAKMP_NEXT_v2SA (len=144)
Jun 5 20:59:42.081710: | Now let's proceed with payload (ISAKMP_NEXT_v2KE)
Jun 5 20:59:42.081716: | ***parse IKEv2 Key Exchange Payload:
Jun 5 20:59:42.081721: | next payload type: ISAKMP_NEXT_v2Ni (0x28)
Jun 5 20:59:42.081725: | flags: none (0x0)
Jun 5 20:59:42.081729: | length: 200 (0xc8)
Jun 5 20:59:42.081733: | DH group: OAKLEY_GROUP_MODP1536 (0x5)
Jun 5 20:59:42.081738: | processing payload: ISAKMP_NEXT_v2KE (len=200)
Jun 5 20:59:42.081742: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
Jun 5 20:59:42.081747: | ***parse IKEv2 Nonce Payload:
Jun 5 20:59:42.081752: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 5 20:59:42.081756: | flags: none (0x0)
Jun 5 20:59:42.081760: | length: 36 (0x24)
Jun 5 20:59:42.081764: | processing payload: ISAKMP_NEXT_v2Ni (len=36)
Jun 5 20:59:42.081769: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 5 20:59:42.081774: | ***parse IKEv2 Vendor ID Payload:
Jun 5 20:59:42.081778: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 5 20:59:42.081782: | flags: none (0x0)
Jun 5 20:59:42.081786: | length: 23 (0x17)
Jun 5 20:59:42.081790: | processing payload: ISAKMP_NEXT_v2V (len=23)
Jun 5 20:59:42.081794: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 5 20:59:42.081799: | ***parse IKEv2 Vendor ID Payload:
Jun 5 20:59:42.081803: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 5 20:59:42.081807: | flags: none (0x0)
Jun 5 20:59:42.081811: | length: 19 (0x13)
Jun 5 20:59:42.081815: | processing payload: ISAKMP_NEXT_v2V (len=19)
Jun 5 20:59:42.081820: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 5 20:59:42.081824: | ***parse IKEv2 Vendor ID Payload:
Jun 5 20:59:42.081828: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 5 20:59:42.081833: | flags: none (0x0)
Jun 5 20:59:42.081837: | length: 23 (0x17)
Jun 5 20:59:42.081841: | processing payload: ISAKMP_NEXT_v2V (len=23)
Jun 5 20:59:42.081845: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 5 20:59:42.081850: | ***parse IKEv2 Vendor ID Payload:
Jun 5 20:59:42.081855: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jun 5 20:59:42.081859: | flags: none (0x0)
Jun 5 20:59:42.081863: | length: 21 (0x15)
Jun 5 20:59:42.081879: | processing payload: ISAKMP_NEXT_v2V (len=21)
Jun 5 20:59:42.081883: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jun 5 20:59:42.081888: | ***parse IKEv2 Notify Payload:
Jun 5 20:59:42.081893: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jun 5 20:59:42.081897: | flags: none (0x0)
Jun 5 20:59:42.081900: | length: 28 (0x1c)
Jun 5 20:59:42.081905: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 5 20:59:42.081910: | SPI size: 0 (0x0)
Jun 5 20:59:42.081915: | Notify Message Type:
v2N_NAT_DETECTION_SOURCE_IP (0x4004)
Jun 5 20:59:42.081919: | processing payload: ISAKMP_NEXT_v2N (len=28)
Jun 5 20:59:42.081924: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jun 5 20:59:42.081928: | ***parse IKEv2 Notify Payload:
Jun 5 20:59:42.081933: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 5 20:59:42.081937: | flags: none (0x0)
Jun 5 20:59:42.081941: | length: 28 (0x1c)
Jun 5 20:59:42.081945: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 5 20:59:42.081949: | SPI size: 0 (0x0)
Jun 5 20:59:42.081954: | Notify Message Type:
v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
Jun 5 20:59:42.081958: | processing payload: ISAKMP_NEXT_v2N (len=28)
Jun 5 20:59:42.081963: | selected state microcode Respond to IKE_SA_INIT
Jun 5 20:59:42.081968: | Now lets proceed with state specific processing
Jun 5 20:59:42.081972: | calling processor Respond to IKE_SA_INIT
Jun 5 20:59:42.081977: | anti-DDoS cookies not required (and no cookie
received)
Jun 5 20:59:42.081988: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=RSASIG+IKEV2_ALLOW
Jun 5 20:59:42.082005: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082013: | find_next_host_connection
policy=RSASIG+IKEV2_ALLOW
Jun 5 20:59:42.082018: | find_next_host_connection returns empty
Jun 5 20:59:42.082024: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500 policy=RSASIG+IKEV2_ALLOW
Jun 5 20:59:42.082030: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082035: | find_next_host_connection
policy=RSASIG+IKEV2_ALLOW
Jun 5 20:59:42.082039: | find_next_host_connection returns empty
Jun 5 20:59:42.082045: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy RSASIG+IKEV2_ALLOW
Jun 5 20:59:42.082052: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=PSK+IKEV2_ALLOW
Jun 5 20:59:42.082057: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082062: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Jun 5 20:59:42.082066: | find_next_host_connection returns empty
Jun 5 20:59:42.082071: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500 policy=PSK+IKEV2_ALLOW
Jun 5 20:59:42.082076: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082081: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Jun 5 20:59:42.082086: | find_next_host_connection returns empty
Jun 5 20:59:42.082091: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy PSK+IKEV2_ALLOW
Jun 5 20:59:42.082098: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=AUTHNULL+IKEV2_ALLOW
Jun 5 20:59:42.082103: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082108: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Jun 5 20:59:42.082112: | find_next_host_connection returns empty
Jun 5 20:59:42.082118: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500
policy=AUTHNULL+IKEV2_ALLOW
Jun 5 20:59:42.082123: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 5 20:59:42.082127: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Jun 5 20:59:42.082139: | find_next_host_connection returns empty
Jun 5 20:59:42.082145: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy AUTHNULL+IKEV2_ALLOW
Jun 5 20:59:42.082153: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: initial parent SA message
received on 2400:8901::f03c:91ff:fe6e:9dc:500 but no suitable connection
found with IKEv2 policy
Jun 5 20:59:42.082161: | skip start processing: state #0 (in
complete_v2_state_transition() at ikev2.c:2787)
Jun 5 20:59:42.082167: | #0 complete v2 state transition from
STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN
Jun 5 20:59:42.082172: | sending a notification reply
Jun 5 20:59:42.082182: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: responding to SA_INIT
message (ID 0) from 2001:8004:1400:20c9:1863:feff:fea4:d208:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
Jun 5 20:59:42.082187: | Opening output PBS unencrypted notification
Jun 5 20:59:42.082193: | **emit ISAKMP Message:
Jun 5 20:59:42.082197: | initiator cookie:
Jun 5 20:59:42.082201: | 2e 41 0a 6f c4 6a 1d 4c
Jun 5 20:59:42.082206: | responder cookie:
Jun 5 20:59:42.082210: | 00 00 00 00 00 00 00 00
Jun 5 20:59:42.082214: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jun 5 20:59:42.082219: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 5 20:59:42.082224: | exchange type: ISAKMP_v2_SA_INIT (0x22)
Jun 5 20:59:42.082228: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jun 5 20:59:42.082233: | message ID: 00 00 00 00
Jun 5 20:59:42.082239: | next payload type: saving message location
'ISAKMP Message' 'next payload type'
Jun 5 20:59:42.082245: | Adding a v2N Payload
Jun 5 20:59:42.082249: | ***emit IKEv2 Notify Payload:
Jun 5 20:59:42.082254: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 5 20:59:42.082258: | flags: none (0x0)
Jun 5 20:59:42.082262: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 5 20:59:42.082266: | SPI size: 0 (0x0)
Jun 5 20:59:42.082271: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN
(0xe)
Jun 5 20:59:42.082276: | next payload type: setting 'ISAKMP Message'
'next payload type' to IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
Jun 5 20:59:42.082281: | next payload type: saving payload location
'IKEv2 Notify Payload' 'next payload type'
Jun 5 20:59:42.082286: | emitting length of IKEv2 Notify Payload: 8
Jun 5 20:59:42.082291: | emitting length of ISAKMP Message: 36
Jun 5 20:59:42.082312: | sending 36 bytes for v2 notify through
eth0:500 to 2001:8004:1400:20c9:1863:feff:fea4:d208:500 (using #0)
Jun 5 20:59:42.082317: | 2e 41 0a 6f c4 6a 1d 4c 00 00 00 00 00 00
00 00
Jun 5 20:59:42.082321: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00
00 08
Jun 5 20:59:42.082325: | 00 00 00 0e
Jun 5 20:59:42.082445: | state transition function for STATE_UNDEFINED
failed: v2N_NO_PROPOSAL_CHOSEN
Jun 5 20:59:42.082461: | processing: stop from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:393)
Jun 5 20:59:42.082469: | processing: STOP state #0 (in process_md() at
demux.c:395)
Jun 5 20:59:42.082475: | serialno table: hash serialno #0 to head
0x55c9d9396980
Jun 5 20:59:42.082480: | serialno table: hash serialno #0 to head
0x55c9d9396980
Jun 5 20:59:42.082485: | processing: STOP connection NULL (in
process_md() at demux.c:396)
Jun 5 20:59:46.675368: | kernel_process_msg_cb process netlink message
Jun 5 20:59:46.675566: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 5 20:59:46.679931: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 5 20:59:47.922682: | timer_event_cb: processing event at 0x55c9d9964f20
Jun 5 20:59:47.922758: | handling event EVENT_SHUNT_SCAN
Jun 5 20:59:47.922769: | expiring aged bare shunts from shunt table
Jun 5 20:59:47.922781: | event_schedule: new
EVENT_SHUNT_SCAN-pe at 0x55c9d9975390
Jun 5 20:59:47.922792: | inserting event EVENT_SHUNT_SCAN, timeout in
20.000 seconds
Jun 5 20:59:47.922816: | free_event_entry: release
EVENT_SHUNT_SCAN-pe at 0x55c9d9964f20
^C
lightning /etc/ipsec.d #
From the Cisco:
Jun 5 22:58:20: IKEv2:% Getting preshared key from profile keyring
reub-keyring
Jun 5 22:58:20: IKEv2:% Matched peer block 'lightning.reub.net-ipv6'
Jun 5 22:58:20: IKEv2:Searching Policy with fvrf 0, local address
2001:8004:1400:20C9:1863:FEFF:FEA4:D208
Jun 5 22:58:20: IKEv2:Using the Default Policy for Proposal
Jun 5 22:58:20: IKEv2:Found Policy 'default'
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):[IKEv2 -> Crypto
Engine] Computing DH public key, DH Group 5
Jun 5 22:58:20: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key
Computation PASSED
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):Request queued for
computation of DH key
Jun 5 22:58:20: IKEv2:IKEv2 initiator - no config data to send in
IKE_SA_INIT exch
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):Generating
IKE_SA_INIT message
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):IKE Proposal: 1, SPI
size: 0 (initial negotiation),
Num. transforms: 15
AES-CBC AES-CBC AES-CBC SHA512 SHA384 SHA256 SHA1 MD5
SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5
DH_GROUP_1024_MODP/Group 2
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : B2230DB35BD333B9 - Responder SPI : 0000000000000000
Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
Jun 5 22:58:20: IKEv2:(SESSION ID = 43,SA ID = 1):Insert SA
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : B2230DB35BD333B9 - Responder SPI : 0000000000000000
Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Processing
IKE_SA_INIT message
Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):: Received no
proposal chosen notify
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Failed SA init exchange
Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):Initial
exchange failed: Initial exchange failed
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Abort exchange
Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Deleting SA
I don't understand why I'd start getting a proposal error if I haven't
changed any of the proposals on either side.
It would also make things easier if everyone enclosed their IPv6
addresses in square [brackets] ;-)
There are some odd things with comparisons to 0.0.0.0 above, which to me
makes no sense in an IPv6 only connection. Is libreswan trying to match
the client connection address against IPv4 0.0.0.0/0 and then failing on
account of no match/incorrect family?
3. In my config I have this:
ike=aes256-sha1;modp1536
This is not IPv6 specific, if I don't have this specified then the Cisco
and Libreswan cannot agree on IKE and the connection doesn't come up
(either IPv4 or IPv6).
The Cisco IKEv2 default proposals if none are explicitly specified are:
router-2#show crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
router-2#
I had thought the default values may have been sufficient for a
negotiation to occur successfully but this seems to not be the case. Is
it by design that the above ike= statement is required? (how do I see
for a given code version what are the proposals offered by the libreswan
side?)
Thanks,
Reuben
More information about the Swan
mailing list