[Swan] 3.15 OE problem - Can not opportunistically initiate... DNS query problem

Matthew Johnson matthew.f.j at gmail.com
Thu Jun 7 17:00:52 UTC 2018 

Hi

I'm trying to use opportunistic encryption with 3.15 (available in CentOS 6
repos), but running in to the following error (at least I think this is my
error):

Jun  7 09:29:35: | initiate on demand using RSASIG from 10.1.156.25 to
10.1.156.27 new state: fos_start
Jun  7 09:29:35: Can not opportunistically initiate for 10.1.156.25 to
10.1.156.27: can only query DNS for key for ID that is a FQDN, IPV4_ADDR,
or IPV6_ADDR
Jun  7 09:29:35: | cannot_oppo() detected packet triggered shunt from bundle
Jun  7 09:29:35: | fiddle_bare_shunt called
Jun  7 09:29:35: | fiddle_bare_shunt with transport_proto 17
Jun  7 09:29:35: | replacing specific host-to-host bare shunt
Jun  7 09:29:35: | can only query DNS for key for ID that is a FQDN,
IPV4_ADDR, or IPV6_ADDR eroute 10.1.156.25/32:43404 --17->
10.1.156.27/32:1025 => %hold>%drop (raw_eroute)

I'm only working with "private" connections currently. My configuration
stanza is:

conn private
        # IPsec mandatory
        right=%opportunisticgroup
        rightid=%fromcert
        rightrsasigkey=%cert
        rightca=%same
        #rightauth=rsasig
        left=%defaultroute
        #leftid=%fromcert
        leftrsasigkey=%cert
        leftcert=test-west1
        #leftcert=/etc/ipsec.d/test-west1.pem
        narrowing=yes
        type=tunnel
        ikev2=insist
        auto=route
        # tune remaining options to taste - fail fast to prevent packet
loss to the app
        negotiationshunt=hold
        failureshunt=drop
        # 0 means infinite tries
        keyingtries=0
        retransmit-timeout=3s

My ipsec.conf file is right out of the box.

My secrets file contains:

: RSA "test-west1"

My policies/private file contains:

10.1.156.27

For my certificate, and initial setup, I followed the instructions here:

https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec

As far as I know, my configuration should eliminate the need to query DNS
for a key. I've been fiddling with the configuration since, but to no
avail. Both hosts are configured similarly, but the connection fails before
any packets are sent to the remote host, so my issue must be local.

I'm hoping someone here can help me get pointed in the right direction.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180607/512a8241/attachment.html>

More information about the Swan mailing list