[Swan] Problem connecting with shrew vpnclient with version 3.24

antonio asilva at wirelessmundi.com
Wed Jun 27 11:23:00 UTC 2018


Hi Paul,

I try directly git master and also version 3.24 (git checkout v3.24) but 
i can't compile, it gives me the error:

In file included from 
/usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,
                  from 
/usr/src/libreswan/programs/pluto/kernel_netlink.c:56:
/usr/include/netinet/in.h:99:5: error: expected identifier before 
numeric constant
      IPPROTO_HOPOPTS = 0,   /* IPv6 Hop-by-Hop options.  */


More in:

https://pastebin.com/8B7zKDSE

I'm trying to compile it on debian jessie.


As for the configuration of shrew i use most of the default values, i 
only set:

- general -> remote hostname

- authentication -> authentitacion method: mutual psk+xauth

- authentication -> credentials -> pre shared key

I've trying to force phase 1 and phase 2 different parameters 
combination to make it work without success.



I did a git bisect between version 3.20 and 3.21, result:

5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit
commit 5bd36a6ff9420652a563a30662be8b550ccf04d2
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri May 19 15:54:54 2017 -0400

     IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads

     - Fixup CERT / CERTREQ handling
     - Don't give "weak warning" for aggrissive mode with RSA (only for PSK)
     - Cleanups (eg use c instead of st->st_connection)

:040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da 
03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M    programs



To make sure on every step i did:

make clean; make programs; make install; systemctl restart ipsec


My tunnel configuration:
conn xauth-aggr
     aggrmode=yes
     also=xauth

conn xauth
     pfs=no
     type=tunnel
     auto=add
     phase2=esp
     sha2-truncbug=yes
     authby=secret
     keyingtries=3
     ikelifetime=8h
     salifetime=1h
     left=192.168.1.137
     leftsubnet=0.0.0.0/0
     leftid=192.168.1.137
     right=%any
     rightid=%any
     rightaddresspool=192.168.20.2-192.168.20.10
     dpddelay=10
     dpdtimeout=30
     dpdaction=clear
     leftxauthserver=yes
     rightxauthclient=yes
     leftmodecfgserver=yes
     rightmodecfgclient=yes
     modecfgpull=yes
     ike-frag=yes
     #xauthby=pam
     xauthby=alwaysok


Secrets:
192.168.1.137 : PSK "1234"


On 06/08/2018 08:03 PM, Paul Wouters wrote:
> On Fri, 8 Jun 2018, antonio wrote:
>
>> cannot connect with shrew soft vpnclient to libreswan 3.24 (last 
>> version that worked was in version 3.20)  with psk+xauth:
>
> (this was 3.23 as explained)
>
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: Peer ID is ID_IPV4_ADDR: '192.168.10.170'
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: received Hash Payload does not match computed value
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: sending encrypted notification INVALID_HASH_INFORMATION to
>> 192.168.10.170:33388
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: next payload type of ISAKMP Hash Payload has an unknown
>> value: 218 (0xda)
>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>> #3: malformed payload in packet
>
>> The log when connecting with version 3.20:
>
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: new NAT mapping for #3, was 192.168.10.170:33388, now
>> 192.168.10.170:40182
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY
>> cipher=aes_256 integ=md5 group=MODP1024}
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: ignoring informational payload IPSEC_INITIAL_CONTACT,
>> msgid=00000000, length=28
>> Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
>> Jun 08 15:24:34 sol pluto[12290]: |   00 00 00 1c  00 00 00 01 01 10 
>> 60 02
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: received and ignored informational message
>> Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3 
>> STATE_AGGR_R2
>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>> #3: XAUTH: Sending Username/Password request (XAUTH_R0)
>
> Would you be able to test 3.21 / 3.22 or maybe do a git bisect to help?
> Or alternatively, if you can give me a shrew client config and the
> libreswan server cofig, then I can try and run a git bisect to find
> the issue.
>
> Although perhaps first you can try and use a 3.24rcX candicate from
> download.libreswan.org/development/ and see if the problem got fixed
> already?
>
> Paul

-- 
Saludos / Regards / Cumprimentos
Anónio Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180627/ee30cbf6/attachment.html>


More information about the Swan mailing list