[Swan] Problem connecting with shrew vpnclient with version 3.24
antonio
asilva at wirelessmundi.com
Wed Jun 27 16:02:35 UTC 2018
Hi,
after discussing on irc, thanks to blieve and LetoTo:
3:50:13 PM - bleve: […] bad combination of glibc and kernel headers.
3:51:01 PM - bleve: https://libreswan.org/wiki/3.21_on_Debian_Wheezy
3:51:20 PM - bleve:
https://libreswan.org/wiki/3.21_on_Debian_Wheezy#Workaround_:_enable_header_files_workaround
So to compile in debian jessie in my case i just did:
cd libreswan
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
make programs
make install
...
Master branch works if i set "main mode" instead of "aggresive mode" in
shrew client.
forcing 'aggressive mode' in shrew it looks to be a bug on shrew
implementation from the log line:
xauth-aggr"[1] 192.168.1.138 #1: length of ISAKMP Hash Payload is larger
than can fit
Full log can be checked in: https://pastebin.com/4cNSuHAh
In version 3.25 shrew can be use by setting "main mode"..
On 06/27/2018 01:23 PM, antonio wrote:
>
> Hi Paul,
>
> I try directly git master and also version 3.24 (git checkout v3.24)
> but i can't compile, it gives me the error:
>
> In file included from
> /usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,
> from
> /usr/src/libreswan/programs/pluto/kernel_netlink.c:56:
> /usr/include/netinet/in.h:99:5: error: expected identifier before
> numeric constant
> IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */
>
>
> More in:
>
> https://pastebin.com/8B7zKDSE
>
> I'm trying to compile it on debian jessie.
>
>
> As for the configuration of shrew i use most of the default values, i
> only set:
>
> - general -> remote hostname
>
> - authentication -> authentitacion method: mutual psk+xauth
>
> - authentication -> credentials -> pre shared key
>
> I've trying to force phase 1 and phase 2 different parameters
> combination to make it work without success.
>
>
>
> I did a git bisect between version 3.20 and 3.21, result:
>
> 5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit
> commit 5bd36a6ff9420652a563a30662be8b550ccf04d2
> Author: Paul Wouters <pwouters at redhat.com>
> Date: Fri May 19 15:54:54 2017 -0400
>
> IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads
>
> - Fixup CERT / CERTREQ handling
> - Don't give "weak warning" for aggrissive mode with RSA (only for
> PSK)
> - Cleanups (eg use c instead of st->st_connection)
>
> :040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da
> 03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M programs
>
>
>
> To make sure on every step i did:
>
> make clean; make programs; make install; systemctl restart ipsec
>
>
> My tunnel configuration:
> conn xauth-aggr
> aggrmode=yes
> also=xauth
>
> conn xauth
> pfs=no
> type=tunnel
> auto=add
> phase2=esp
> sha2-truncbug=yes
> authby=secret
> keyingtries=3
> ikelifetime=8h
> salifetime=1h
> left=192.168.1.137
> leftsubnet=0.0.0.0/0
> leftid=192.168.1.137
> right=%any
> rightid=%any
> rightaddresspool=192.168.20.2-192.168.20.10
> dpddelay=10
> dpdtimeout=30
> dpdaction=clear
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> ike-frag=yes
> #xauthby=pam
> xauthby=alwaysok
>
>
> Secrets:
> 192.168.1.137 : PSK "1234"
>
>
> On 06/08/2018 08:03 PM, Paul Wouters wrote:
>> On Fri, 8 Jun 2018, antonio wrote:
>>
>>> cannot connect with shrew soft vpnclient to libreswan 3.24 (last
>>> version that worked was in version 3.20) with psk+xauth:
>>
>> (this was 3.23 as explained)
>>
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: Peer ID is ID_IPV4_ADDR: '192.168.10.170'
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: received Hash Payload does not match computed value
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: sending encrypted notification INVALID_HASH_INFORMATION to
>>> 192.168.10.170:33388
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: next payload type of ISAKMP Hash Payload has an unknown
>>> value: 218 (0xda)
>>> Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
>>> #3: malformed payload in packet
>>
>>> The log when connecting with version 3.20:
>>
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: STATE_AGGR_R1: sent AR1, expecting AI2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: new NAT mapping for #3, was 192.168.10.170:33388, now
>>> 192.168.10.170:40182
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY
>>> cipher=aes_256 integ=md5 group=MODP1024}
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: ignoring informational payload IPSEC_INITIAL_CONTACT,
>>> msgid=00000000, length=28
>>> Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
>>> Jun 08 15:24:34 sol pluto[12290]: | 00 00 00 1c 00 00 00 01 01
>>> 10 60 02
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: received and ignored informational message
>>> Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3
>>> STATE_AGGR_R2
>>> Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
>>> #3: XAUTH: Sending Username/Password request (XAUTH_R0)
>>
>> Would you be able to test 3.21 / 3.22 or maybe do a git bisect to help?
>> Or alternatively, if you can give me a shrew client config and the
>> libreswan server cofig, then I can try and run a git bisect to find
>> the issue.
>>
>> Although perhaps first you can try and use a 3.24rcX candicate from
>> download.libreswan.org/development/ and see if the problem got fixed
>> already?
>>
>> Paul
>
> --
> Saludos / Regards / Cumprimentos
> Anónio Silva
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
--
Saludos / Regards / Cumprimentos
Anónio Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180627/c920dfd6/attachment-0001.html>
More information about the Swan
mailing list