[Swan] not able to establish tunnel with multiple subnets and IKEv2

Paul Wouters paul at nohats.ca
Wed Jun 5 13:30:00 UTC 2019


On Wed, 5 Jun 2019, optimas primat wrote:

> pluto[27863]: "siteB_ipsec/1x1" #2: IKEv2 mode peer ID is ID_FQDN: '@abcd1'
> pluto[27863]: "siteB_ipsec/1x1" #2: Authenticated using authby=secret
> pluto[27863]: "siteB_ipsec/1x1" #2: negotiated connection
> [172.16.56.0-172.16.56.255:0-65535 0] ->
> [172.16.55.0-172.16.55.255:0-65535 0]
> pluto[27863]: "siteB_ipsec/1x1" #2: STATE_V2_IPSEC_I: IPsec SA
> established tunnel mode {ESP=>0xc26dbe6f <0x0f9f825a
> xfrm=3DES_CBC-HMAC_MD5_96 NATOA=none NATD=none DPD=passive}

So the first tunnel comes up.

> pluto[27863]: "siteB_ipsec/1x2": constructed local ESP/AH proposals
> for siteB_ipsec/1x2 (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
> pluto[27863]: "siteB_ipsec/2x1": constructed local ESP/AH proposals
> for siteB_ipsec/2x1 (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
> pluto[27863]: "siteB_ipsec/2x2": constructed local ESP/AH proposals
> for siteB_ipsec/2x2 (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
> pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: sent IPsec
> Child req wait response

The second one is attempted..

> pluto[27863]: "siteB_ipsec/2x1" #4: message id deadlock? wait sending,
> add to send next list using parent #1 unacknowledged 1 next message
> id=3 ike exchange window 1

The others are queued up and waiting....

> pluto[27863]: "siteB_ipsec/1x2" #3: no useful state microcode entry
> found for incoming packet
> pluto[27863]: "siteB_ipsec/1x2" #3: dropping unexpected
> CREATE_CHILD_SA message containing TS_UNACCEPTABLE pluto[27863]:

Seems it mismatched the subnets?

> 1:ESP:SPI=a0b9b411;ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
> chosen from remote proposals
> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED[first-match]
> pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: responding to
> CREATE_CHILD_SA message (ID 2) from 172.16.88.2:500 with encrypted
> notification TS_UNACCEPTABLE

It seemed to have picked the already established connection, then
decided to not switch?

Which version of libreswan is this?

Paul


More information about the Swan mailing list