[Swan] Cisco IOS IPv6 Transport with IKEv2 to Libreswan
Reuben Farrelly
reuben-libreswan at reub.net
Sat Jun 9 05:41:19 UTC 2018
On 9/06/2018 6:31 AM, Paul Wouters wrote:
> On Tue, 5 Jun 2018, Reuben Farrelly wrote:
>
>> I only need to transport IPv4 across the IPv6 IPSec tunnel, but bonus
>> marks all around if I can optionally have an IPv4 and IPv6 address on
>> the VTI at the same time.
>
>> Problems I have run into and would appreciate any advice are as
>> follows...
>>
>> 1. The libreswan conn section for each peer requires a left=
>> statement. This works as either an IPv4 address, or an IPv6 address,
>> but only one can be defined. And %any doesn't work either (trying
>> this results in an error "connection router-2.reub.net must specify
>> host IP address for our side")
>>
>> This is a major obstacle if I have both IPv4 only and IPv6 preferred
>> clients connecting in, especially if I am migrating between the two
>> transports as I am here, because it appears I have to use one or the
>> other, but cannot support both address families at once.
>>
>> 2. If I change the left= side to be the IPv6 address, then it starts
>> but I get a proposal error:
>
> Please retry the current git master. It no longer uses the
> connaddrfamily= keyword. You should not need any keyword to do 6in4 or
> 4in6. But if you want to force the address family of the gateways, you
> can use hostaddrfamily= and if you want to force the address family of
> the subnets, you can use clientaddrfamily=
I didn't have any keyword configured previously but I've updated to the
latest -git anyway (Linux Libreswan
v3.22-1573-g28f6eabac-dirty-28f6eabac88aa6d2645671a7bfd4500d194f5630
(netkey) on 4.15.18-x86_64-linode107)
>> Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Processing
>> IKE_SA_INIT message
>> Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):: Received no
>> proposal chosen notify
>> Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Failed SA init
>> exchange
>> Jun 5 22:58:21: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):Initial
>> exchange failed: Initial exchange failed
>> Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Abort exchange
>> Jun 5 22:58:21: IKEv2:(SESSION ID = 43,SA ID = 1):Deleting SA
>>
>> I don't understand why I'd start getting a proposal error if I haven't
>> changed any of the proposals on either side.
>
> Most likely, your connection showed up as "unoriented" and therefor
> fails in IKE_INIT to be found at all (we can only look at oriented
> connections to match an exchange to)
What I don't understand is why would this suddenly become a problem just
by changing the transport. The right hand side IP address is %any and
the left hand side is one of the IPv6 addresses on the Libreswan side,
so it should match on the configuration (it does with IPv4).
Even after the update it still results in the same errors and a failure
to connect, as previously.
Here's the status output:
lightning /etc/ipsec.d # ipsec --status
000 using kernel interface: netkey
000 interface eth0/eth0 2400:8901:e001:3a::22 at 500
000 interface eth0/eth0 2400:8901:e001:3a::21 at 500
000 interface eth0/eth0 2400:8901:e001:3a::20 at 500
000 interface eth0/eth0 2400:8901::f03c:91ff:fe6e:9dc at 500
000 interface eth0/eth0 2400:8901:e001:3a::23 at 500
000 interface lo/lo ::1 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 139.162.51.249 at 4500
000 interface eth0/eth0 139.162.51.249 at 500
000 interface vti-1/vti-1 192.168.6.1 at 4500
000 interface vti-1/vti-1 192.168.6.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000
pluto_version=v3.22-1573-g28f6eabac-dirty-28f6eabac88aa6d2645671a7bfd4500d194f5630,
pluto_vendorid=OE-Libreswan-v3.22-1573
000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, perpeerlog=no,
logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no,
crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600,
ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=<unsupported>
000 debug:
raw+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+xauth+retransmits+oppoinfo
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23,
v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "router-2.reub.net":
0.0.0.0/0===2400:8901::f03c:91ff:fe6e:9dc<2400:8901::f03c:91ff:fe6e:09dc>[@lightning.reub.net]...%any[router-2 at reub.net]===0.0.0.0/0;
unrouted; eroute owner: #0
000 "router-2.reub.net": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "router-2.reub.net": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "router-2.reub.net": our auth:secret, their auth:secret
000 "router-2.reub.net": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "router-2.reub.net": labeled_ipsec:no;
000 "router-2.reub.net": policy_label:unset;
000 "router-2.reub.net": ike_life: 86400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net": retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "router-2.reub.net": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net": policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net": conn_prio: 0,0; interface: eth0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net": nflog-group: unset; mark: 12/0xffffff,
12/0xffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
nic-offload:auto;
000 "router-2.reub.net": our idtype: ID_FQDN; our
id=@lightning.reub.net; their idtype: ID_USER_FQDN; their
id=router-2 at reub.net
000 "router-2.reub.net": dpd: action:clear; delay:15; timeout:45;
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "router-2.reub.net": IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1536
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000
lightning /etc/ipsec.d #
The debug log from libreswan:
Jun 9 13:32:23.105603: | *received 550 bytes from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 on eth0 (port=500)
Jun 9 13:32:23.105679: | 89 59 89 23 21 96 85 77 00 00 00 00 00 00
00 00
Jun 9 13:32:23.105685: | 21 20 22 08 00 00 00 00 00 00 02 26 22 00
00 90
Jun 9 13:32:23.105690: | 00 00 00 8c 01 01 00 0f 03 00 00 0c 01 00
00 0c
Jun 9 13:32:23.105694: | 80 0e 01 00 03 00 00 0c 01 00 00 0c 80 0e
00 c0
Jun 9 13:32:23.105698: | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00
00 08
Jun 9 13:32:23.105702: | 02 00 00 07 03 00 00 08 02 00 00 06 03 00
00 08
Jun 9 13:32:23.105706: | 02 00 00 05 03 00 00 08 02 00 00 02 03 00
00 08
Jun 9 13:32:23.105710: | 02 00 00 01 03 00 00 08 03 00 00 0e 03 00
00 08
Jun 9 13:32:23.105715: | 03 00 00 0d 03 00 00 08 03 00 00 0c 03 00
00 08
Jun 9 13:32:23.105719: | 03 00 00 02 03 00 00 08 03 00 00 01 03 00
00 08
Jun 9 13:32:23.105723: | 04 00 00 05 00 00 00 08 04 00 00 02 28 00
00 c8
Jun 9 13:32:23.105727: | 00 05 00 00 5f 5e 99 2b dd 57 cf 5d 7d 42
aa 5e
Jun 9 13:32:23.105731: | 52 f7 e6 d1 38 d7 df 75 8c f4 0f ec c8 6a
a2 e5
Jun 9 13:32:23.105742: | c8 70 9c 62 f7 b3 dc 86 08 7c bd e4 17 12
2f 34
Jun 9 13:32:23.105747: | 6a a7 13 50 7c a4 4d 03 01 09 50 a7 f5 ad
b0 c1
Jun 9 13:32:23.105751: | 48 33 eb 8b ac e7 a7 b1 9d bc 7a c4 0a a0
f8 01
Jun 9 13:32:23.105755: | 34 6b 39 e7 b5 6f 6d 59 eb e2 28 3e 48 ac
84 68
Jun 9 13:32:23.105759: | 9c 04 09 15 dd 79 1b c4 6d f3 c9 25 cc 9e
fb a7
Jun 9 13:32:23.105764: | 9b ee 6a 65 f0 19 3a a0 2b 8c 0c b0 4c 07
d0 1f
Jun 9 13:32:23.105820: | 5b 9b d9 46 90 58 b1 16 7b 2e 41 19 35 fe
e7 de
Jun 9 13:32:23.105826: | 70 8c 8e 6e 67 c4 6f 8a 11 e2 a5 4b 72 17
64 fc
Jun 9 13:32:23.105830: | 3f 09 8b fe 89 46 2c e1 d1 b3 39 c6 50 fa
ce 73
Jun 9 13:32:23.105834: | 92 c6 d3 f2 d1 1a 19 c0 86 5d b9 e1 35 71
40 b2
Jun 9 13:32:23.105839: | 15 4b 6e 49 2b 00 00 24 77 42 fc 65 24 d5
f3 4c
Jun 9 13:32:23.105843: | d1 58 ac 9f 87 0a 28 e6 06 ac 43 8a 42 db
c9 e7
Jun 9 13:32:23.105847: | 0c 77 f2 58 d5 1f 59 dc 2b 00 00 17 43 49
53 43
Jun 9 13:32:23.105851: | 4f 2d 44 45 4c 45 54 45 2d 52 45 41 53 4f
4e 2b
Jun 9 13:32:23.105855: | 00 00 13 43 49 53 43 4f 56 50 4e 2d 52 45
56 2d
Jun 9 13:32:23.105859: | 30 32 2b 00 00 17 43 49 53 43 4f 2d 44 59
4e 41
Jun 9 13:32:23.105863: | 4d 49 43 2d 52 4f 55 54 45 29 00 00 15 46
4c 45
Jun 9 13:32:23.105867: | 58 56 50 4e 2d 53 55 50 50 4f 52 54 45 44
29 00
Jun 9 13:32:23.105872: | 00 1c 00 00 40 04 12 f1 51 85 d0 16 30 2a
15 33
Jun 9 13:32:23.105876: | fe 42 b4 9f 7a 0f dd b2 d2 72 00 00 00 1c
00 00
Jun 9 13:32:23.105880: | 40 05 5c a7 ef 2c 65 69 9d c5 19 d7 09 30
32 a7
Jun 9 13:32:23.105911: | af b1 64 35 9c 4f
Jun 9 13:32:23.105926: | processing: start from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:391)
Jun 9 13:32:23.105936: | **parse ISAKMP Message:
Jun 9 13:32:23.105942: | initiator cookie:
Jun 9 13:32:23.105946: | 89 59 89 23 21 96 85 77
Jun 9 13:32:23.105949: | responder cookie:
Jun 9 13:32:23.105953: | 00 00 00 00 00 00 00 00
Jun 9 13:32:23.105959: | next payload type: ISAKMP_NEXT_v2SA (0x21)
Jun 9 13:32:23.105964: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 9 13:32:23.105968: | exchange type: ISAKMP_v2_SA_INIT (0x22)
Jun 9 13:32:23.105973: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jun 9 13:32:23.105977: | message ID: 00 00 00 00
Jun 9 13:32:23.105981: | length: 550 (0x226)
Jun 9 13:32:23.105987: | processing version=2.0 packet with exchange
type=ISAKMP_v2_SA_INIT (34)
Jun 9 13:32:23.105993: | I am receiving an IKEv2 Request ISAKMP_v2_SA_INIT
Jun 9 13:32:23.105996: | I am the IKE SA Original Responder
Jun 9 13:32:23.106006: | icookie table: hash icookie 89 59 89 23 21 96
85 77 to 8621167510034525833 slot 0x561a3ad4a5c0
Jun 9 13:32:23.106011: | parent_init v2 state object not found
Jun 9 13:32:23.106017: | #null state always idle
Jun 9 13:32:23.106023: | #0 in state PARENT_R0: processing SA_INIT request
Jun 9 13:32:23.106028: | Unpacking clear payload for svm: Respond to
IKE_SA_INIT
Jun 9 13:32:23.106033: | Now let's proceed with payload (ISAKMP_NEXT_v2SA)
Jun 9 13:32:23.106038: | ***parse IKEv2 Security Association Payload:
Jun 9 13:32:23.106042: | next payload type: ISAKMP_NEXT_v2KE (0x22)
Jun 9 13:32:23.106046: | flags: none (0x0)
Jun 9 13:32:23.106050: | length: 144 (0x90)
Jun 9 13:32:23.106055: | processing payload: ISAKMP_NEXT_v2SA (len=144)
Jun 9 13:32:23.106058: | Now let's proceed with payload (ISAKMP_NEXT_v2KE)
Jun 9 13:32:23.106063: | ***parse IKEv2 Key Exchange Payload:
Jun 9 13:32:23.106067: | next payload type: ISAKMP_NEXT_v2Ni (0x28)
Jun 9 13:32:23.106071: | flags: none (0x0)
Jun 9 13:32:23.106075: | length: 200 (0xc8)
Jun 9 13:32:23.106079: | DH group: OAKLEY_GROUP_MODP1536 (0x5)
Jun 9 13:32:23.106083: | processing payload: ISAKMP_NEXT_v2KE (len=200)
Jun 9 13:32:23.106087: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
Jun 9 13:32:23.106092: | ***parse IKEv2 Nonce Payload:
Jun 9 13:32:23.106096: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 9 13:32:23.106099: | flags: none (0x0)
Jun 9 13:32:23.106103: | length: 36 (0x24)
Jun 9 13:32:23.106108: | processing payload: ISAKMP_NEXT_v2Ni (len=36)
Jun 9 13:32:23.106112: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 9 13:32:23.106116: | ***parse IKEv2 Vendor ID Payload:
Jun 9 13:32:23.106120: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 9 13:32:23.106124: | flags: none (0x0)
Jun 9 13:32:23.106127: | length: 23 (0x17)
Jun 9 13:32:23.106131: | processing payload: ISAKMP_NEXT_v2V (len=23)
Jun 9 13:32:23.106135: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 9 13:32:23.106139: | ***parse IKEv2 Vendor ID Payload:
Jun 9 13:32:23.106143: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 9 13:32:23.106147: | flags: none (0x0)
Jun 9 13:32:23.106151: | length: 19 (0x13)
Jun 9 13:32:23.106155: | processing payload: ISAKMP_NEXT_v2V (len=19)
Jun 9 13:32:23.106159: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 9 13:32:23.106163: | ***parse IKEv2 Vendor ID Payload:
Jun 9 13:32:23.106166: | next payload type: ISAKMP_NEXT_v2V (0x2b)
Jun 9 13:32:23.106171: | flags: none (0x0)
Jun 9 13:32:23.106174: | length: 23 (0x17)
Jun 9 13:32:23.106178: | processing payload: ISAKMP_NEXT_v2V (len=23)
Jun 9 13:32:23.106182: | Now let's proceed with payload (ISAKMP_NEXT_v2V)
Jun 9 13:32:23.106186: | ***parse IKEv2 Vendor ID Payload:
Jun 9 13:32:23.106190: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jun 9 13:32:23.106194: | flags: none (0x0)
Jun 9 13:32:23.106198: | length: 21 (0x15)
Jun 9 13:32:23.106202: | processing payload: ISAKMP_NEXT_v2V (len=21)
Jun 9 13:32:23.106783: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jun 9 13:32:23.106803: | ***parse IKEv2 Notify Payload:
Jun 9 13:32:23.106808: | next payload type: ISAKMP_NEXT_v2N (0x29)
Jun 9 13:32:23.106812: | flags: none (0x0)
Jun 9 13:32:23.106816: | length: 28 (0x1c)
Jun 9 13:32:23.106820: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 9 13:32:23.106824: | SPI size: 0 (0x0)
Jun 9 13:32:23.106829: | Notify Message Type:
v2N_NAT_DETECTION_SOURCE_IP (0x4004)
Jun 9 13:32:23.106833: | processing payload: ISAKMP_NEXT_v2N (len=28)
Jun 9 13:32:23.106837: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Jun 9 13:32:23.106841: | ***parse IKEv2 Notify Payload:
Jun 9 13:32:23.106845: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 9 13:32:23.106849: | flags: none (0x0)
Jun 9 13:32:23.106853: | length: 28 (0x1c)
Jun 9 13:32:23.106857: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 9 13:32:23.106861: | SPI size: 0 (0x0)
Jun 9 13:32:23.106865: | Notify Message Type:
v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
Jun 9 13:32:23.106869: | processing payload: ISAKMP_NEXT_v2N (len=28)
Jun 9 13:32:23.106875: | selected state microcode Respond to IKE_SA_INIT
Jun 9 13:32:23.106879: | Now lets proceed with state specific processing
Jun 9 13:32:23.106883: | calling processor Respond to IKE_SA_INIT
Jun 9 13:32:23.106888: | anti-DDoS cookies not required (and no cookie
received)
Jun 9 13:32:23.106900: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=RSASIG+IKEV2_ALLOW
Jun 9 13:32:23.106908: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.106921: | find_next_host_connection
policy=RSASIG+IKEV2_ALLOW
Jun 9 13:32:23.106926: | find_next_host_connection returns empty
Jun 9 13:32:23.106932: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500 policy=RSASIG+IKEV2_ALLOW
Jun 9 13:32:23.106937: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.106942: | find_next_host_connection
policy=RSASIG+IKEV2_ALLOW
Jun 9 13:32:23.106946: | find_next_host_connection returns empty
Jun 9 13:32:23.106952: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy RSASIG+IKEV2_ALLOW
Jun 9 13:32:23.106959: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=PSK+IKEV2_ALLOW
Jun 9 13:32:23.106964: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.106968: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Jun 9 13:32:23.106972: | find_next_host_connection returns empty
Jun 9 13:32:23.106977: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500 policy=PSK+IKEV2_ALLOW
Jun 9 13:32:23.106983: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.106987: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Jun 9 13:32:23.106990: | find_next_host_connection returns empty
Jun 9 13:32:23.106996: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy PSK+IKEV2_ALLOW
Jun 9 13:32:23.107003: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500
him=2001:8004:1400:20c9:1863:feff:fea4:d208:500 policy=AUTHNULL+IKEV2_ALLOW
Jun 9 13:32:23.107008: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.107012: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Jun 9 13:32:23.107016: | find_next_host_connection returns empty
Jun 9 13:32:23.107021: | find_host_connection
me=2400:8901::f03c:91ff:fe6e:9dc:500 him=%any:500
policy=AUTHNULL+IKEV2_ALLOW
Jun 9 13:32:23.107026: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
Jun 9 13:32:23.107031: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Jun 9 13:32:23.107034: | find_next_host_connection returns empty
Jun 9 13:32:23.107053: | initial parent SA message received on
2400:8901::f03c:91ff:fe6e:9dc:500 but no connection has been authorized
with policy AUTHNULL+IKEV2_ALLOW
Jun 9 13:32:23.107060: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: initial parent SA message
received on 2400:8901::f03c:91ff:fe6e:9dc:500 but no suitable connection
found with IKEv2 policy
Jun 9 13:32:23.107068: | skip start processing: state #0 (in
complete_v2_state_transition() at ikev2.c:2787)
Jun 9 13:32:23.107074: | #0 complete v2 state transition from
STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN
Jun 9 13:32:23.107078: | sending a notification reply
Jun 9 13:32:23.107090: packet from
2001:8004:1400:20c9:1863:feff:fea4:d208:500: responding to SA_INIT
message (ID 0) from 2001:8004:1400:20c9:1863:feff:fea4:d208:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
Jun 9 13:32:23.107103: | Opening output PBS unencrypted notification
Jun 9 13:32:23.107110: | **emit ISAKMP Message:
Jun 9 13:32:23.107115: | initiator cookie:
Jun 9 13:32:23.107119: | 89 59 89 23 21 96 85 77
Jun 9 13:32:23.107123: | responder cookie:
Jun 9 13:32:23.107126: | 00 00 00 00 00 00 00 00
Jun 9 13:32:23.107131: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jun 9 13:32:23.107136: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 9 13:32:23.107141: | exchange type: ISAKMP_v2_SA_INIT (0x22)
Jun 9 13:32:23.107145: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jun 9 13:32:23.107149: | message ID: 00 00 00 00
Jun 9 13:32:23.107157: | next payload type: saving message location
'ISAKMP Message' 'next payload type'
Jun 9 13:32:23.107162: | Adding a v2N Payload
Jun 9 13:32:23.107166: | ***emit IKEv2 Notify Payload:
Jun 9 13:32:23.107171: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 9 13:32:23.107174: | flags: none (0x0)
Jun 9 13:32:23.107178: | Protocol ID: PROTO_v2_RESERVED (0x0)
Jun 9 13:32:23.107182: | SPI size: 0 (0x0)
Jun 9 13:32:23.107186: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN
(0xe)
Jun 9 13:32:23.107192: | next payload type: setting 'ISAKMP Message'
'next payload type' to IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
Jun 9 13:32:23.107196: | next payload type: saving payload location
'IKEv2 Notify Payload' 'next payload type'
Jun 9 13:32:23.107201: | emitting length of IKEv2 Notify Payload: 8
Jun 9 13:32:23.107205: | emitting length of ISAKMP Message: 36
Jun 9 13:32:23.107214: | sending 36 bytes for v2 notify through
eth0:500 to 2001:8004:1400:20c9:1863:feff:fea4:d208:500 (using #0)
Jun 9 13:32:23.107219: | 89 59 89 23 21 96 85 77 00 00 00 00 00 00
00 00
Jun 9 13:32:23.107223: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00
00 08
Jun 9 13:32:23.107227: | 00 00 00 0e
Jun 9 13:32:23.107902: | state transition function for STATE_UNDEFINED
failed: v2N_NO_PROPOSAL_CHOSEN
Jun 9 13:32:23.107926: | processing: stop from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:393)
Jun 9 13:32:23.107935: | processing: STOP state #0 (in process_md() at
demux.c:395)
Jun 9 13:32:23.107940: | serialno table: hash serialno #0 to head
0x561a3ad4c980
Jun 9 13:32:23.107945: | serialno table: hash serialno #0 to head
0x561a3ad4c980
Jun 9 13:32:23.107949: | processing: STOP connection NULL (in
process_md() at demux.c:396)
Jun 9 13:32:26.708044: | kernel_process_msg_cb process netlink message
Jun 9 13:32:26.708269: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 9 13:32:26.710032: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 9 13:32:31.693030: | timer_event_cb: processing event at 0x561a3b06a210
Jun 9 13:32:31.693101: | handling event EVENT_SHUNT_SCAN
Jun 9 13:32:31.693112: | expiring aged bare shunts from shunt table
Jun 9 13:32:31.693119: | event_schedule: new
EVENT_SHUNT_SCAN-pe at 0x561a3b06ee40
Jun 9 13:32:31.693129: | inserting event EVENT_SHUNT_SCAN, timeout in
20.000 seconds
Jun 9 13:32:31.693141: | free_event_entry: release
EVENT_SHUNT_SCAN-pe at 0x561a3b06a210
Jun 9 13:32:31.722080: | kernel_process_msg_cb process netlink message
Jun 9 13:32:31.727500: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 9 13:32:31.727548: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 9 13:32:36.717878: | kernel_process_msg_cb process netlink message
Jun 9 13:32:36.717973: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 9 13:32:36.717983: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 9 13:32:41.728195: | kernel_process_msg_cb process netlink message
Jun 9 13:32:41.728293: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 9 13:32:41.728305: | xfrm netlink address change RTM_NEWADDR msg len 72
lightning /etc/ipsec.d #
From the router debugs I see very little:
Jun 9 15:31:52: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : C90C3A47CE5F843A - Responder SPI : 0000000000000000
Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
Jun 9 15:31:52: IKEv2:(SESSION ID = 43,SA ID = 1):Insert SA
Jun 9 15:31:53: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : C90C3A47CE5F843A - Responder SPI : 0000000000000000
Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)
Jun 9 15:31:53: IKEv2:(SESSION ID = 43,SA ID = 1):Processing
IKE_SA_INIT message
Jun 9 15:31:53: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):: Received no
proposal chosen notify
Jun 9 15:31:53: IKEv2:(SESSION ID = 43,SA ID = 1):Failed SA init exchange
Jun 9 15:31:53: IKEv2-ERROR:(SESSION ID = 43,SA ID = 1):Initial
exchange failed: Initial exchange failed
Jun 9 15:31:53: IKEv2:(SESSION ID = 43,SA ID = 1):Abort exchange
Jun 9 15:31:53: IKEv2:(SESSION ID = 43,SA ID = 1):Deleting SA
I'm highly suspicious of this line in the libreswan debug:
Jun 9 13:32:23.106908: | find_host_pair: comparing
2400:8901::f03c:91ff:fe6e:9dc:500 to 0.0.0.0:500
It looks to me like there is an attempted comparison between an IPv6
address with an IPv4 format, which will of course never work and always
result in a failure to match.
Reuben
More information about the Swan
mailing list