[Swan] AWS: INVALID_HASH_INFORMATION

Ryszard Styczynski rstyczynski at gmail.com
Mon Oct 12 12:51:32 UTC 2020 

Hello,

I've found error. My error. 

     left=10.196.3.53
     leftid=140.238.80.46
     leftsubnet=10.106.0.0/16

, should be:

     left=10.196.3.53
     leftid=140.238.80.46
     leftsubnet=10.196.0.0/16

After fixing above, all is good:

Oct 12 12:49:17.268926: "XXX_tunnel2" #11: initiating Main Mode
Oct 12 12:49:17.280441: "XXX_tunnel2" #11: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 12 12:49:17.292445: "XXX_tunnel2" #11: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 12 12:49:17.303169: "XXX_tunnel2" #11: Peer ID is ID_IPV4_ADDR: '52.214.70.211'
Oct 12 12:49:17.303556: "XXX_tunnel2" #11: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}
Oct 12 12:49:17.303667: "XXX_tunnel2" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#11 msgid:dfe9b6dd proposal=AES_CBC_128-HMAC_SHA1_96-MODP1024 pfsgroup=MODP1024}
Oct 12 12:49:17.316170: "XXX_tunnel2" #12: our client subnet returned doesn't match my proposal - us:10.196.0.0/16 vs them:10.196.3.0/24
Oct 12 12:49:17.316218: "XXX_tunnel2" #12: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Oct 12 12:49:17.345910: "XXX_tunnel2" #12: up-client output: vti interface "vti202" already exists with conflicting setting (perhaps need vti-sharing=yes ?
XXXXXXXXXXXXXXXXXXXXXXXXOct 12 12:49:17.346969: "XXX_tunnel2" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xc29c90e2 <0x2113ec70 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=52.214.70.211:4500 DPD=active}XXX


Regards,
Ryszard


> On 12 Oct 2020, at 14:28, Ryszard Styczynski <rstyczynski at gmail.com> wrote:
> 
> Hello,
> 
> I'm trying to connect Linux to AWS VPN Connection using Libreswan 3.25. On the same host IPSec connection already works for a long time. Now I'm adding another one, and I'm stopped o below problem:
> 
> Oct 12 11:54:08.149392: "XXX_tunnel2" #41: initiating Main Mode
> Oct 12 11:54:08.161867: "XXX_tunnel2" #41: STATE_MAIN_I2: sent MI2, expecting MR2
> Oct 12 11:54:08.174565: "XXX_tunnel2" #41: STATE_MAIN_I3: sent MI3, expecting MR3
> Oct 12 11:54:08.185652: "XXX_tunnel2" #41: Peer ID is ID_IPV4_ADDR: '52.214.70.211'
> Oct 12 11:54:08.186215: "XXX_tunnel2" #41: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}
> Oct 12 11:54:08.186295: "XXX_tunnel2" #42: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#41 msgid:f741420f proposal=AES_CBC_128-HMAC_SHA1_96-MODP1024 pfsgroup=MODP1024}
> Oct 12 11:54:08.198059: "XXX_tunnel2" #41: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=16
> Oct 12 11:54:08.198091: | ISAKMP Notification Payload
> Oct 12 11:54:08.198103: |   00 00 00 10  00 00 00 01  03 04 00 12
> Oct 12 11:54:08.198112: "XXX_tunnel2" #41: received and ignored informational message
> Oct 12 11:54:08.687396: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
> Oct 12 11:54:09.188146: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
> Oct 12 11:54:10.189374: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
> Oct 12 11:54:12.190339: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
> Oct 12 11:54:16.194522: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
> Oct 12 11:54:24.197845: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
> Oct 12 11:54:24.209230: "XXX_tunnel2" #41: ignoring informational payload INVALID_HASH_INFORMATION, msgid=00000000, length=12
> Oct 12 11:54:24.209266: | ISAKMP Notification Payload
> Oct 12 11:54:24.209272: |   00 00 00 0c  00 00 00 01  01 00 00 17
> Oct 12 11:54:24.209276: "XXX_tunnel2" #41: received and ignored informational message
> 
> Configuration is quite fundamental as proposed by regular AWS setup. I'm using exactly the same for outer working VPN Connection.
> 
> conn XXX_tunnel2
>      mark=202/0xffffffff
>      vti-interface=vti202
>      vti-routing=no
> 
>      left=10.196.3.53
>      leftid=140.238.80.46
>      leftsubnet=10.106.0.0/16
> 
>      rightsubnet=0.0.0.0/0
>      right=52.214.70.211
> 
>      type=tunnel
> 
>      authby=secret
>      auto=start
> 
>      dpddelay=10
>      dpdtimeout=30
>      dpdaction=restart_by_peer
> 
>      ikelifetime=8h
>      keylife=1h
>      phase2alg=aes128-sha1;modp1024
>      ike=aes128-sha1;modp1024
>      keyingtries=%forever
>      keyexchange=ike
> 
> Appreciate any advice where is the trick. What is wrong? How to further debug?
> 
> Regards,
> Ryszard
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201012/29537e9b/attachment-0001.html>

More information about the Swan mailing list