[Swan] microcode entry

Computerisms Corporation bob at computerisms.ca
Thu Aug 15 03:54:03 UTC 2019


Hi Paul,

I haven't tested any windows roadwarriors on any of the systems I have 
upgraded yet, so far all the tunnels that were affected were simple 
net-to-net libreswan-to-libreswan setups with no specified algorithms.

On the ikev2 conns for windows, I do have the lower ciphers for win7 to 
work, so I guess Libreswan has to have them loaded.  but to check I just 
commented the ikev2 conn and connected to a machine that has no ikev2 
conn, and still didn't connect.  Also, today, I tried compiling 3.29 on 
Debian Stretch and it didn't work until after I upgraded to Buster, so 
getting pretty convinced 3.29 has a dependency that requires Buster or 
newer.

On 2019-08-12 9:38 a.m., Paul Wouters wrote:
> Could be configuration options which are no longer part of the default ike or esp options. If your connections depended on sha1, or modp1536 in IKEv2, you might need to update your configuration
> 
> Sent from mobile device
> 
>> On Aug 12, 2019, at 12:32, Computerisms Corporation <bob at computerisms.ca> wrote:
>>
>> You are a genius and gentleman, thank you.  must have checked that a dozen times last night, but this morning I did find a subnet mismatch. problem solved.
>>
>> Upgrading to .29 definitely broke a bunch of my connections, though. The newest one I have investigated so far that broke is a .25 install on Debian Stretch.  I suspect the issue is less the libreswan software and more an outdated debian package, but I haven't confirmed yet.  Seems all the systems running Buster are good, but those also all have .28 installed.
>>
>>> On 2019-08-12 6:08 a.m., Paul Wouters wrote:
>>> TS_UNACCEPTABLE means the traffic selectors are not matching. Check left/rightsubnet and left/rightprotoports
>>> Sent from mobile device
>>>> On Aug 12, 2019, at 04:03, Computerisms Corporation <bob at computerisms.ca> wrote:
>>>>
>>>> Hi Paul,
>>>>
>>>> you are correct, the NO_PROPOSAL_CHOSEN message did show up immediately after the algorithms are listed in the log.  In the past when I have seen that it is because the security paramaters are not correct, but I haven't seen it between two versions of libreswan before, I don't think.  The local side was running .22, so I upgraded that to .29 as well.
>>>>
>>>> That fixed the proposal error and broke connections with all the older builds, but something still not right.  Enough for tonight, will tackle it again in the morning.  But here are the remote logs:
>>>>
>>>> Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local IKE proposals for computerisms2rrdc (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 (default)
>>>> Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
>>>> Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local ESP/AH proposals for computerisms2rrdc (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
>>>> Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
>>>>
>>>> Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: IKE_AUTH response contained the error notification TS_UNACCEPTABLE
>>>>
>>>>> On 2019-08-11 7:44 p.m., Paul Wouters wrote:
>>>>> Seems a misconfiguration. The Notify you receive should contain an indicator, eg NO PROPOSAL CHOSEN or AUTH FAILED
>>>>> Sent from mobile device
>>>>>> On Aug 11, 2019, at 21:45, Computerisms Corporation <bob at computerisms.ca> wrote:
>>>>>>
>>>>>> quick follow up; didn't notice that .29 was available, just tried upgrading it, but getting the same error.
>>>>>>
>>>>>>> On 2019-08-11 6:09 p.m., Computerisms Corporation wrote:
>>>>>>> Hi,
>>>>>>> I setup a net to net tunnel, following the procedure I normally follow (at least presuming I didn't make a mistake that I can't find), using 3.28.  I have patched the code as per
>>>>>>> https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb Which so far has worked in at least 3 other places without issue (that said the barf.in needs to be done manually, the patch does not apply cleanly to that file).
>>>>>>> I am getting this in the logs:
>>>>>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: no useful state microcode entry found for incoming packet
>>>>>>> Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: dropping unexpected IKE_AUTH message containing INVALID_IKE_SPI notification; message payloads: N; missing payloads: SK
>>>>>>> Apart from the github page with the code that uses this text, I get no hits on google.  I have read the comment in the code and understand that something is messed up, but I am not really clear what this is indicating.  Is it a configuration issue?  a portion of the code not properly compiled?  a certificate problem?  The remote end is a very slow DSL connection, maybe that is part of the problem?  been going through my regular list of things to try, but not meeting any success yet.
>>>>>>> Any clues on a direction for me to go with this?
>>>>>> _______________________________________________
>>>>>> Swan mailing list
>>>>>> Swan at lists.libreswan.org
>>>>>> https://lists.libreswan.org/mailman/listinfo/swan
> 


More information about the Swan mailing list