[Swan] Problem connecting with shrew vpnclient with version 3.24

antonio asilva at wirelessmundi.com
Wed Jun 27 16:02:35 UTC 2018 

Hi,

after discussing on irc, thanks to blieve and LetoTo:

3:50:13 PM - bleve: […] bad combination of glibc and kernel headers.
3:51:01 PM - bleve: https://libreswan.org/wiki/3.21_on_Debian_Wheezy
3:51:20 PM - bleve: 
https://libreswan.org/wiki/3.21_on_Debian_Wheezy#Workaround_:_enable_header_files_workaround

So to compile in debian jessie in my case i just did:

cd libreswan

echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local

make programs

make install

...


Master branch works if i set "main mode" instead of "aggresive mode" in 
shrew client.

forcing 'aggressive mode' in shrew it looks to be a bug on shrew 
implementation from the log line:

xauth-aggr"[1] 192.168.1.138 #1: length of ISAKMP Hash Payload is larger 
than can fit


Full log can be checked in: https://pastebin.com/4cNSuHAh


In version 3.25 shrew can be use by setting "main mode"..


On 06/27/2018 01:23 PM, antonio wrote:
>
> Hi Paul,
>
> I try directly git master and also version 3.24 (git checkout v3.24) 
> but i can't compile, it gives me the error:
>
> In file included from 
> /usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,
>                  from 
> /usr/src/libreswan/programs/pluto/kernel_netlink.c:56:
> /usr/include/netinet/in.h:99:5: error: expected identifier before 
> numeric constant
>      IPPROTO_HOPOPTS = 0,   /* IPv6 Hop-by-Hop options.  */
>
>
> More in:
>
> https://pastebin.com/8B7zKDSE
>
> I'm trying to compile it on debian jessie.
>
>
> As for the configuration of shrew i use most of the default values, i 
> only set:
>
> - general -> remote hostname
>
> - authentication -> authentitacion method: mutual psk+xauth
>
> - authentication -> credentials -> pre shared key
>
> I've trying to force phase 1 and phase 2 different parameters 
> combination to make it work without success.
>
>
>
> I did a git bisect between version 3.20 and 3.21, result:
>
> 5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit
> commit 5bd36a6ff9420652a563a30662be8b550ccf04d2
> Author: Paul Wouters <pwouters at redhat.com>
> Date:   Fri May 19 15:54:54 2017 -0400
>
>     IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads
>
>     - Fixup CERT / CERTREQ handling
>     - Don't give "weak warning" for aggrissive mode with RSA (only for 
> PSK)
>     - Cleanups (eg use c instead of st->st_connection)
>
> :040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da 
> 03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M    programs
>
>
>
> To make sure on every step i did:
>
> make clean; make programs; make install; systemctl restart ipsec
>
>
> My tunnel configuration:
> conn xauth-aggr
>     aggrmode=yes
>     also=xauth
>
> conn xauth
>     pfs=no
>     type=tunnel
>     auto=add
>     phase2=esp
>     sha2-truncbug=yes
>     authby=secret
>     keyingtries=3
>     ikelifetime=8h
>     salifetime=1h
>     left=192.168.1.137
>     leftsubnet=0.0.0.0/0
>     leftid=192.168.1.137
>     right=%any
>     rightid=%any
>     rightaddresspool=192.168.20.2-192.168.20.10
>     dpddelay=10
>     dpdtimeout=30
>     dpdaction=clear
>     leftxauthserver=yes
>     rightxauthclient=yes
>     leftmodecfgserver=yes
>     rightmodecfgclient=yes
>     modecfgpull=yes
>     ike-frag=yes
>     #xauthby=pam
>     xauthby=alwaysok
>
>
> Secrets:
> 192.168.1.137 : PSK "1234"
>
>
> On 06/08/2018 08:03 PM, Paul Wouters wrote:
>> On Fri, 8 Jun 2018, antonio wrote:
>>
>>> cannot connect with shrew soft vpnclient to libreswan 3.24 (last 
>>> version that worked was in version 3.20)  with psk+xauth:
>>
>> (this was 3.23 as explained)
>>
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: Peer ID is ID_IPV4_ADDR: '192.168.10.170'
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: received Hash Payload does not match computed value
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: sending encrypted notification INVALID_HASH_INFORMATION to
>>> 192.168.10.170:33388
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: next payload type of ISAKMP Hash Payload has an unknown
>>> value: 218 (0xda)
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170 
>>> #3: malformed payload in packet
>>
>>> The log when connecting with version 3.20:
>>
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: new NAT mapping for #3, was 192.168.10.170:33388, now
>>> 192.168.10.170:40182
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY
>>> cipher=aes_256 integ=md5 group=MODP1024}
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: ignoring informational payload IPSEC_INITIAL_CONTACT,
>>> msgid=00000000, length=28
>>> Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
>>> Jun 08 15:24:34 sol pluto[12290]: |   00 00 00 1c  00 00 00 01  01 
>>> 10 60 02
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: received and ignored informational message
>>> Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3 
>>> STATE_AGGR_R2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170 
>>> #3: XAUTH: Sending Username/Password request (XAUTH_R0)
>>
>> Would you be able to test 3.21 / 3.22 or maybe do a git bisect to help?
>> Or alternatively, if you can give me a shrew client config and the
>> libreswan server cofig, then I can try and run a git bisect to find
>> the issue.
>>
>> Although perhaps first you can try and use a 3.24rcX candicate from
>> download.libreswan.org/development/ and see if the problem got fixed
>> already?
>>
>> Paul
>
> -- 
> Saludos / Regards / Cumprimentos
> Anónio Silva
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-- 
Saludos / Regards / Cumprimentos
Anónio Silva

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180627/c920dfd6/attachment-0001.html>

More information about the Swan mailing list