[Swan] IKEv2 causing netlink errors

Peter Rofner profner at richmondnursery.com
Wed Dec 11 11:35:26 UTC 2019

On 12/10/19 5:44 PM, Paul Wouters wrote:
> On Tue, 10 Dec 2019, Peter Rofner wrote:
> Your first log shows you sent IKE_SA_INIT request, got reply. Send
> IKE_AUTH request and got a reply with AUTHENTICATION_FAILED
> The second log shows it is not responder to anything, but initiating
> its own IKE_SA_INIT request, and a firewall or gateway fails it or
> the remote IP is not the right one.

Yes, I think the firewall initially blocks some requests when I restart 
IPSec. Maybe something to do with connection tracking? It seems to 
resolve and allow traffic in a couple seconds so I don't think it's the 
source of the issues.

> There might be two things going on at the same time, but then you didnt
> match up the attempts when you looked up the logs.

You're right. I was comparing time-stamps, but that wasn't right. The 
peer has three IPSec connections - two static with PSK and one 
roadwarrior with RSA. When looking at the logs, I was only looking at 
the entries for the one static connection in question. It seems when 
IKEv2 is enabled, it sometimes tries to authenticate against the 
roadwarrior connection (though not consistently):

Dec 11 05:35:25 [pluto] "roadwarrior-rsa"[1] x.x.x.x #5: Peer ID 
'x.x.x.x' mismatched on first found connection and no better connection 
Dec 11 05:35:25 [pluto] "roadwarrior-rsa"[1] x.x.x.x #5: responding to 
IKE_AUTH message (ID 1) from x.x.x.x:500 with encrypted notification 

Again, that doesn't seem to be the cause of the netkey error. I'm going 
to dig though kernel modules relating to encryption and see if anything 
else pops out at me. It still seems to point to a missing crypto routine 
to me.

Peter Rofner
Richmond Nursery Inc.

More information about the Swan mailing list