[Swan] Azure + LibreSwan
Paul Wouters
paul at nohats.ca
Fri Sep 28 16:04:42 UTC 2018
On Fri, 28 Sep 2018, Madden, Joe wrote:
> Is there a keyword or something I can search the logs for?
>
> I'll go back to the logs and see if I can find it!
It would look like:
Sep 28 12:03:19.079624: "west" #19: initiate rekey of IKEv2 CREATE_CHILD_SA IKE Rekey
Sep 28 12:03:19.089626: "west" #20: local IKE proposals for west (IKE SA initiating rekey): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 (default)
Sep 28 12:03:19.107468: "west" #20: STATE_V2_REKEY_IKE_I: STATE_V2_REKEY_IKE_I
Sep 28 12:03:19.170311: "west" #20: rekeyed #19 STATE_V2_REKEY_IKE_I and expire it remaining life 4s
Sep 28 12:03:19.173091: "west" #20: STATE_PARENT_I3: PARENT SA established
Paul
> Thanks
>
> Joe.
> -----Original Message-----
> From: Paul Wouters <paul at nohats.ca>
> Sent: 27 September 2018 18:15
> To: Madden, Joe <Joe.Madden at mottmac.com>
> Cc: swan at lists.libreswan.org
> Subject: RE: [Swan] Azure + LibreSwan
>
> On Thu, 27 Sep 2018, Madden, Joe wrote:
>
>> I've ran though the output from debug but I'm not sure how to read it in order to find the azure proposal.
>>
>> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpas
>> tebin.com%2Fraw%2FQdns0p5q&data=01%7C01%7CJoe.Madden%40mottmac.com
>> %7Cd10bd736bbff486be3ff08d6249cc60a%7Ca2bed0c459574f73b0c2a811407590fb
>> %7C0&sdata=pEzC%2BsAmiGmPiJ2C16CTQifAuDjrLgKAR%2BUVXBaN8Jg%3D&
>> reserved=0
>>
>> Am I being dense - How do you tell the proposal from this log output?
>
> That log is only of a single informational exchange for DPD. It is not actually a rekey exchange or a response/initiator for an initial connection.
>
> Paul
>
>> -----Original Message-----
>> From: Paul Wouters <paul at nohats.ca>
>> Sent: 26 September 2018 14:45
>> To: Madden, Joe <Joe.Madden at mottmac.com>
>> Cc: swan at lists.libreswan.org
>> Subject: Re: [Swan] Azure + LibreSwan
>>
>> On Wed, 26 Sep 2018, Madden, Joe wrote:
>>
>>> Sep 26 10:33:24 gw pluto[788]: packet from #####:500: initial parent
>>> SA message received on 87.85.199.82:500 but no connection has been
>>> authorized with policy RSASIG+IKEV2_ALLOW
>>>
>>> The above line I suspect is the issue (Because we are not using RSK to authenticate.
>>
>> That error can be a bit misleading as it could be other things that are not matching. You can try running with plutodebug=all which should log all the proposals at the time and hopefully that will show something.
>>
>> I thought later versions of libreswan also logged the proposals in non-debug mode, so perhaps you are running an older version.
>>
>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
>> ts.libreswan.org%2Fmailman%2Flistinfo%2Fswan&data=01%7C01%7Cjoe.madden%40mottmac.com%7Cf5c132dd27e84fff7e8608d623c4f867%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=cVbccwnPrr%2BEbn%2Fe0MKZDfZGGTruz0Vzo7i%2FtihN2%2B8%3D&reserved=0
>>
>
More information about the Swan
mailing list