[Swan] 3.15 OE problem - Can not opportunistically initiate... DNS query problem
Matthew Johnson
matthew.f.j at gmail.com
Thu Jun 7 17:00:52 UTC 2018
Hi
I'm trying to use opportunistic encryption with 3.15 (available in CentOS 6
repos), but running in to the following error (at least I think this is my
error):
Jun 7 09:29:35: | initiate on demand using RSASIG from 10.1.156.25 to
10.1.156.27 new state: fos_start
Jun 7 09:29:35: Can not opportunistically initiate for 10.1.156.25 to
10.1.156.27: can only query DNS for key for ID that is a FQDN, IPV4_ADDR,
or IPV6_ADDR
Jun 7 09:29:35: | cannot_oppo() detected packet triggered shunt from bundle
Jun 7 09:29:35: | fiddle_bare_shunt called
Jun 7 09:29:35: | fiddle_bare_shunt with transport_proto 17
Jun 7 09:29:35: | replacing specific host-to-host bare shunt
Jun 7 09:29:35: | can only query DNS for key for ID that is a FQDN,
IPV4_ADDR, or IPV6_ADDR eroute 10.1.156.25/32:43404 --17->
10.1.156.27/32:1025 => %hold>%drop (raw_eroute)
I'm only working with "private" connections currently. My configuration
stanza is:
conn private
# IPsec mandatory
right=%opportunisticgroup
rightid=%fromcert
rightrsasigkey=%cert
rightca=%same
#rightauth=rsasig
left=%defaultroute
#leftid=%fromcert
leftrsasigkey=%cert
leftcert=test-west1
#leftcert=/etc/ipsec.d/test-west1.pem
narrowing=yes
type=tunnel
ikev2=insist
auto=route
# tune remaining options to taste - fail fast to prevent packet
loss to the app
negotiationshunt=hold
failureshunt=drop
# 0 means infinite tries
keyingtries=0
retransmit-timeout=3s
My ipsec.conf file is right out of the box.
My secrets file contains:
: RSA "test-west1"
My policies/private file contains:
10.1.156.27
For my certificate, and initial setup, I followed the instructions here:
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
As far as I know, my configuration should eliminate the need to query DNS
for a key. I've been fiddling with the configuration since, but to no
avail. Both hosts are configured similarly, but the connection fails before
any packets are sent to the remote host, so my issue must be local.
I'm hoping someone here can help me get pointed in the right direction.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180607/512a8241/attachment.html>
More information about the Swan
mailing list