[Swan] Connection stops after STATE_PARENT_R1

John Crisp jcrisp at safeandsoundit.co.uk
Sun Feb 9 12:28:29 UTC 2020 

Hi all,

Stuck... :-(

All working perfectly and then suddenly it doesn't, and I don't get why.

My ipsec configs are 'templated' so barring the cert name, right IP, and
subnet, the settings are all identical. Saves mistakes.... !

Two connections from two Endian boxes (using strongswan I think) to one
Libreswan 3.29 server except for the incoming (right) IP address,
rightsubnet and cert.

One Endian works, one doesn't (it did). Tried restarting server,
restarting router etc etc and nothing!

I had been messing about with some L2TPD stuff, but have disabled all
that and gone back to the start, but still stuck.

The one that has stopped working gets this far on the Libre end, and
then Libre just stops:

 STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}

It never seems to get this which is the next part in a working connection:

  processing IKE_SA_INIT request: SA,KE,Ni,N,N,N (message arrived 0
seconds ago)

The Endian box seems to think it is sending one:

  generating IKE_AUTH request 1

I did think it was because I was messing with xl2tpd on this connection,
but I have a couple of other outgoing Endian > Libre connections almost
identical (barring the right ip and subnet) to different almost
identical and untouched boxes that fails as well, and two more almost
identical ones that work.

It's not logical!

I have experienced similar before and it usually automagically resolves
itself after rebooting Endian or turning ipsec off and back on. Not this
time.

Libre connection

conn TestToHomeVoip
    type=tunnel
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    leftcert="TestServerHomeClient"
    rightcert="endian.ip"
    auto=add
    ikev2=insist
    ike=aes256-sha2;dh14
    phase2alg=aes256-sha2;dh14
    encapsulation=no
    keyingtries=%forever
    ikelifetime=3600s
    salifetime=28800s
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    pfs=yes
    left=%defaultroute
    leftid=%fromcert
    leftsourceip=192.168.97.1
    leftsubnet=192.168.97.0/24
    right=endian.ip
    rightid=%fromcert
    rightsubnet=192.168.10.0/24
    reauth=yes



Libre/pluto log

Feb  8 17:53:16.693806: "TestToHomeVoip" #9: processing IKE_SA_INIT
request: SA,KE,Ni,N,N,N (message arrived 0 seconds ago)
Feb  8 17:53:16.693848: "TestToHomeVoip": constructed local IKE
proposals for TestToHomeVoip (IKE SA responder matching remote
proposals):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
Feb  8 17:53:16.693870: "TestToHomeVoip" #9: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
2:IKE:ENCR=AES_CBC_128;ENCR=AES_CBC_192;ENCR=AES_CBC_256;ENCR=3DES;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_512_256;PRF=AES128_XCBC;PRF=AES128_CMAC;PRF=HMAC_SHA1;PRF=HMAC_MD5;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;DH=MODP2048;DH=DH23;DH=DH24;DH=MODP1536;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=MODP1024;DH=DH22
Feb  8 17:53:16.693897: "TestToHomeVoip" #9: Received and ignored hash
algorithm 1
Feb  8 17:53:16.697419: "TestToHomeVoip" #9: STATE_PARENT_R1: received
v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
Feb  8 17:56:01.936284: "TestToHomeVoip" #9: received duplicate
IKE_SA_INIT message request (Message ID 0); retransmitting response
Feb  8 17:56:36.698821: "TestToHomeVoip" #9: deleting incomplete state
after 200.000 seconds
Feb  8 17:56:36.698864: "TestToHomeVoip" #9: deleting state
(STATE_PARENT_R1) aged 200.005s and NOT sending notification

Endian log

Feb  8 17:53:16 efw ipsec: 14[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Feb  8 17:53:16 efw ipsec: 14[NET] sending packet: from endian.ip[500]
to libre.ip[500] (684 bytes)
Feb  8 17:53:16 efw ipsec: 07[NET] received packet: from libre.ip[500]
to endian.ip[500] (465 bytes)
Feb  8 17:53:16 efw ipsec: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Feb  8 17:53:16 efw ipsec: 07[IKE] received 1 cert requests for an
unknown ca
Feb  8 17:53:16 efw ipsec: 07[IKE] sending cert request for "C=UK,
ST=State, L=Town, O=Company, OU=Certificate Authority, CN=Certificate
Authority, E=admin at company.com"
Feb  8 17:53:16 efw ipsec: 07[IKE] sending cert request for "C=IT,
O=efw, CN=efw CA"
Feb  8 17:53:16 efw ipsec: 07[IKE] authentication of 'C=IT, O=efw,
CN=endian.ip' (myself) with RSA signature successful
Feb  8 17:53:16 efw ipsec: 07[IKE] sending end entity cert "C=IT, O=efw,
CN=endian.ip"
Feb  8 17:53:16 efw ipsec: 07[IKE] establishing CHILD_SA MainToTest
Feb  8 17:53:16 efw ipsec: 07[ENC] generating IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Feb  8 17:53:16 efw ipsec: 07[NET] sending packet: from endian.ip[4500]
to libre.ip[4500] (1504 bytes)
Feb  8 17:53:20 efw ipsec: 09[IKE] retransmit 1 of request with message ID 1
Feb  8 17:53:20 efw ipsec: 09[NET] sending packet: from endian.ip[4500]
to libre.ip[4500] (1504 bytes)
Feb  8 17:53:27 efw ipsec: 13[IKE] retransmit 2 of request with message ID 1
Feb  8 17:53:27 efw ipsec: 13[NET] sending packet: from endian.ip[4500]
to libre.ip[4500] (1504 bytes)
Feb  8 17:53:40 efw ipsec: 07[IKE] retransmit 3 of request with message ID 1
Feb  8 17:53:40 efw ipsec: 07[NET] sending packet: from endian.ip[4500]
to libre.ip[4500] (1504 bytes)
Feb  8 17:54:04 efw ipsec: 15[IKE] retransmit 4 of request with message ID 1
Feb  8 17:54:04 efw ipsec: 15[NET] sending packet: from endian.ip[4500]
to libre.ip[4500] (1504 bytes)


I did wonder if it was an MTU issue? Or possibly iptables on 4500
somehow - odd because the Libre box is working with other incoming
connections....

18:43:49.451604 IP (tos 0x20, ttl 53, id 10512, offset 0, flags [+],
proto UDP (17), length 1492)
    endian.ip.4500 > libre.ip.4500: NONESP-encap: isakmp 2.0 msgid
00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1504/ip
1460)

Any suggestions on why it might be failing here appreciated.

B. Rgds

John


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200209/fc99a6f0/attachment.sig>

More information about the Swan mailing list