[Swan] Cisco IOS XE Interoperability with Libreswan
Reuben Farrelly
reuben-libreswan at reub.net
Fri Aug 17 14:49:26 UTC 2018
Hi again,
On 17/08/2018 7:06 am, Paul Wouters wrote:
> On Thu, 16 Aug 2018, Reuben Farrelly wrote:
>
>> We're getting a little further now, but still not succeeding.
>
> I think the libreswan part is happy, but the Cisco does not seem to like
> your IKE_AUTH message. It then restarts with IKE_INIT and instead of
> answering it, seem stuck in resending it saying "already in negotiation,
> hence not negotiating again"
Taking a step back now, as I might have made an interesting discovery.
I'm now testing with another router running classic IOS (not-XE) and it
is also seeing some problems establishing an IPSec session. This router
is running the latest released version of classic IOS (15.8(3)M).
I have this set up in a slightly more controlled fashion in that I am
controlling the NAT from end to end (ie not relying on 4G Carrier Grade
NAT) and I'm also using a different Internet connection this time than
previously.
The issue I am seeing in this scenario with this router is that it is
able to easily connect to libreswan-3.22 but it is unable to connect to
libreswan-3.23 and libreswan-3.25. Both being release versions.
The IOS XE router won't connect to any versions at all.
I've posted the debugs for both classic IOS sessions up online for
comparison:
http://www.reub.net/files/libreswan/Libreswan-3.22-working.txt
and
http://www.reub.net/files/libreswan/Libreswan-3.25-NOT-working.txt
Note: no config changes to the router took place between test runs.
Now I know that while this isn't the subject of the original problem, I
think we should get to the bottom of this first, just in case the root
causes happen to be related. The debugs look a little similar in all
cases where things go wrong in that we have retransmits that don't seem
to make much sense.
Thanks,
Reuben
More information about the Swan
mailing list