[Swan] Bringing up strongSwan+Libreswan transport connection

Pavel Volkov sailor at lists.xtsubasa.org
Sun Sep 29 21:19:35 UTC 2019 

Please help me debug my connection problem.

I have:

1. strongSwan with public IP, acting as a server/responder.
2. Libreswan 3.29 behind NAT for a client.

I wish to establish a transport-mode connection between the two.
I use X.509 certificates for auth.

The process seems to proceed well on the strongSwan side.
Strange stuff happens with Libreswan, that's why I chose this list to 
report to :)

strongSwan's ipsec.conf config:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
include /var/lib/strongswan/ipsec.conf.inc
conn %default
    dpdaction=clear
    dpddelay=35s
    fragmentation=yes
    rekey=no
    
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
    keyexchange=ikev2
conn client-transport
    auto=add
    type=transport
    forceencaps=no
    left=%any
    leftauth=pubkey
    leftid=server.example.com
    leftcert=server.example.com.crt
    leftsendcert=always
    right=xxx.xxx.94.200
    rightauth=pubkey
    rightid="CN=client.example.com"
conn vpn
    <skipped>

Libreswan's config:

conn server
        ike=aes256-sha256
        esp=aes256-sha256
        dpdaction=restart
        dpddelay=35
        dpdtimeout=300
        fragmentation=yes
        rekey=yes
        auto=start
        type=transport
        encapsulation=auto
        ikev2=insist
        left=server.example.com
        leftid=@server.example.com
        leftrsasigkey=%cert
        right=%defaultroute
        rightcert=client.example.com
        rightid=%fromcert
        rightrsasigkey=%cert

After I start the service (systemctl start ipsec) SAs seem to be 
well-formed on the strongSwan side and it verifies both certificates:

$ sudo ip xfrm state
src xxx.xxx.149.202 dst xxx.xxx.94.200
        proto esp spi 0x897dcd9f reqid 1 mode transport
        replay-window 0 
        auth-trunc hmac(sha256) 
0x0f3c8733623e0c36514a6da5c3900d0eafe7299592221c64e54728f7bcb9642f 128
        enc cbc(aes) 
0xc86902e16750e7b66d7298edf1de9c7382e8e5225e05fae3c5bd9a85daebb5fa
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src xxx.xxx.149.202/32 dst xxx.xxx.94.200/32 
src xxx.xxx.94.200 dst xxx.xxx.149.202
        proto esp spi 0xcbaa7ca4 reqid 1 mode transport
        replay-window 32 
        auth-trunc hmac(sha256) 
0x4102de8f68467e88051b1a67d11b0d368646757188356fef35bc10046b03cf1e 128
        enc cbc(aes) 
0xc0b4a9297acdb33808ef6fe4ae48909cb5e16290c5a6c9db06f3fa6b2f7ca017
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src xxx.xxx.94.200/32 dst xxx.xxx.149.202/32


However, Libreswan isn't able to finish the process:

pluto[26303]: "server" #1: initiating v2 parent SA
pluto[26303]: "server": constructed local IKE proposals for server (IKE SA 
initiator selecting KE): 
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
pluto[26303]: "server" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
pluto[26303]: "server": constructed local ESP/AH proposals for server (IKE 
SA initiator emitting ESP/AH proposals): 
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
pluto[26303]: "server" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 
{auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 
group=MODP2048}
pluto[26303]: "server" #2: loading root certificate cache
pluto[26303]: "server" #2: certificate verified OK: CN=server.example.com
pluto[26303]: "server" #2: IKEv2 mode peer ID is ID_FQDN: 
'@server.example.com'
pluto[26303]: "server" #2: Authenticated using RSA
pluto[26303]: "server" #2: STATE_PARENT_I2: retransmission; will wait 0.5 
seconds for response
pluto[26303]: "server" #2: EXPECTATION FAILED: st->st_remote_certs.verified 
== NULL (in decode_certs() at x509.c:696)
pluto[26303]: "server" #2: EXPECTATION FAILED: 
ike->sa.st_remote_certs.verified == NULL (in ikev2_parent_inR2() at 
ikev2_parent.c:3684)
pluto[26303]: "server" #2: X509: CERT payload bogus or revoked
pluto[26303]: "server" #2: STATE_PARENT_I2: retransmission; will wait 1 
seconds for response
pluto[26303]: "server" #2: EXPECTATION FAILED: st->st_remote_certs.verified 
== NULL (in decode_certs() at x509.c:696)
pluto[26303]: "server" #2: EXPECTATION FAILED: 
ike->sa.st_remote_certs.verified == NULL (in ikev2_parent_inR2() at 
ikev2_parent.c:3684)
pluto[26303]: "server" #2: X509: CERT payload bogus or revoked
pluto[26303]: "server" #2: STATE_PARENT_I2: retransmission; will wait 2 
seconds for response
pluto[26303]: "server" #2: EXPECTATION FAILED: st->st_remote_certs.verified 
== NULL (in decode_certs() at x509.c:696)
pluto[26303]: "server" #2: EXPECTATION FAILED: 
ike->sa.st_remote_certs.verified == NULL (in ikev2_parent_inR2() at 
ikev2_parent.c:3684)
pluto[26303]: "server" #2: X509: CERT payload bogus or revoked

Security associations creation is also unfinished:

$ sudo ip xfrm state show
src xxx.xxx.149.202 dst 192.168.1.2
        proto esp spi 0x9d338af9 reqid 16389 mode tunnel
        replay-window 0 
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src xxx.xxx.149.202/32 dst 192.168.1.2/32

Since I use Gentoo here on Libreswan side, maybe I miss something in my 
kernel?

More information about the Swan mailing list