[Swan] Cisco IOS XE Interoperability with Libreswan

Reuben Farrelly reuben-libreswan at reub.net
Fri Aug 17 14:49:26 UTC 2018


Hi again,

On 17/08/2018 7:06 am, Paul Wouters wrote:
> On Thu, 16 Aug 2018, Reuben Farrelly wrote:
> 
>> We're getting a little further now, but still not succeeding.
> 
> I think the libreswan part is happy, but the Cisco does not seem to like
> your IKE_AUTH message. It then restarts with IKE_INIT and instead of
> answering it, seem stuck in resending it saying "already in negotiation,
> hence not negotiating again"

Taking a step back now, as I might have made an interesting discovery.

I'm now testing with another router running classic IOS (not-XE) and it 
is also seeing some problems establishing an IPSec session.  This router 
is running the latest released version of classic IOS (15.8(3)M).

I have this set up in a slightly more controlled fashion in that I am 
controlling the NAT from end to end (ie not relying on 4G Carrier Grade 
NAT) and I'm also using a different Internet connection this time than 
previously.

The issue I am seeing in this scenario with this router is that it is 
able to easily connect to libreswan-3.22 but it is unable to connect to 
libreswan-3.23 and libreswan-3.25.  Both being release versions.

The IOS XE router won't connect to any versions at all.

I've posted the debugs for both classic IOS sessions up online for 
comparison:

http://www.reub.net/files/libreswan/Libreswan-3.22-working.txt
and
http://www.reub.net/files/libreswan/Libreswan-3.25-NOT-working.txt

Note: no config changes to the router took place between test runs.

Now I know that while this isn't the subject of the original problem, I 
think we should get to the bottom of this first, just in case the root 
causes happen to be related.  The debugs look a little similar in all 
cases where things go wrong in that we have retransmits that don't seem 
to make much sense.

Thanks,
Reuben





More information about the Swan mailing list