[Swan] IKEv2 causing netlink errors
Peter Rofner
profner at richmondnursery.com
Wed Dec 11 11:35:26 UTC 2019
On 12/10/19 5:44 PM, Paul Wouters wrote:
> On Tue, 10 Dec 2019, Peter Rofner wrote:
> Your first log shows you sent IKE_SA_INIT request, got reply. Send
> IKE_AUTH request and got a reply with AUTHENTICATION_FAILED
>
> The second log shows it is not responder to anything, but initiating
> its own IKE_SA_INIT request, and a firewall or gateway fails it or
> the remote IP is not the right one.
Yes, I think the firewall initially blocks some requests when I restart
IPSec. Maybe something to do with connection tracking? It seems to
resolve and allow traffic in a couple seconds so I don't think it's the
source of the issues.
> There might be two things going on at the same time, but then you didnt
> match up the attempts when you looked up the logs.
You're right. I was comparing time-stamps, but that wasn't right. The
peer has three IPSec connections - two static with PSK and one
roadwarrior with RSA. When looking at the logs, I was only looking at
the entries for the one static connection in question. It seems when
IKEv2 is enabled, it sometimes tries to authenticate against the
roadwarrior connection (though not consistently):
----
Dec 11 05:35:25 [pluto] "roadwarrior-rsa"[1] x.x.x.x #5: Peer ID
'x.x.x.x' mismatched on first found connection and no better connection
found
Dec 11 05:35:25 [pluto] "roadwarrior-rsa"[1] x.x.x.x #5: responding to
IKE_AUTH message (ID 1) from x.x.x.x:500 with encrypted notification
AUTHENTICATION_FAILED
----
Again, that doesn't seem to be the cause of the netkey error. I'm going
to dig though kernel modules relating to encryption and see if anything
else pops out at me. It still seems to point to a missing crypto routine
to me.
--
Peter Rofner
Richmond Nursery Inc.
http://www.richmondnursery.com
More information about the Swan
mailing list