[Swan] Problem with libreswan Linux Libreswan 4.1-1 (netkey) on 5.8.0-38-generic
Bo Osmann Erichsen
boe at mentor-it.dk
Mon Feb 1 11:24:34 UTC 2021
Hi list
I have an issue with Linux Libreswan 4.1-1 (netkey) on 5.8.0-38-generic (ubuntu 20.04) with a tunnel with remote end Fortigate 1500:
The tunnel (certificate based Ikev2 with xfrm/ipsec interface) is established fine and traffic flows as expected.
After salifetime is reached – the connection goes down and will not get reestablished (no ipsec sa renegotiation or ike sa renegotiation). I suspect this state might give som input on the problem:
"fgcon1" #5: encountered fatal error in state STATE_V2_REKEY_CHILD_I1
I’ve tried setting ikelifetime and salifetime to be the same on the peer – but with no success.
If you need more details or log – don’t hesitate but I did not want to “SPAM” the list.
Log in the timeline:
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | newref struct msg_digest at 0x5586b5d16738(0->1) (in read_message() at demux.c:106)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | newref alloc logger at 0x5586b5d37168(0->1) (in read_message() at demux.c:106)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | *received 80 bytes from x.x.x.x:4500 on ens4 12.12.12.2:4500 using UDP
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | b9 0b c0 c3 bc f2 db 02 8c ae 39 e8 5d 8e 2a 68
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | 2e 20 24 20 00 00 00 00 00 00 00 50 29 00 00 34
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | 54 de 6a 91 44 6e 35 4d cf 99 6f 73 2d d4 6c 7a
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | 14 fe b2 3c 53 df ef ff 94 2d b6 29 8a a4 ba eb
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | 18 a6 28 47 91 bf 3c 0f d2 34 61 bd 99 b6 b6 44
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | **parse ISAKMP Message:
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | initiator SPI: b9 0b c0 c3 bc f2 db 02
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | responder SPI: 8c ae 39 e8 5d 8e 2a 68
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | Message ID: 0 (00 00 00 00)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | length: 80 (00 00 00 50)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA response
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | State DB: found IKEv2 state #4 in ESTABLISHED_IKE_SA (find_v2_ike_sa)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | State DB: found IKEv2 state #5 in V2_REKEY_CHILD_I1 (find_v2_sa_by_initiator_wip)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | #5 is idle
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | #5 idle
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | unpacking clear payload
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | Now let's proceed with payload (ISAKMP_NEXT_v2SK)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | ***parse IKEv2 Encryption Payload:
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | next payload type: ISAKMP_NEXT_v2N (0x29)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | flags: none (0x0)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | length: 52 (00 34)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | processing payload: ISAKMP_NEXT_v2SK (len=48)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | #5 in state V2_REKEY_CHILD_I1: sent CREATE_CHILD_SA request to rekey IPsec SA
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | result: newref clone-key at 0x5586b5d3f150 (32-bytes, SHA256_HMAC)(in init_symkey() at ike
_alg_prf_mac_nss_ops.c:99)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | auth: delref clone-key at 0x5586b5d3f150
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | authenticator matched
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | stripping 8 octets as pad
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | #4 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | **parse IKEv2 Notify Payload:
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | flags: none (0x0)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | length: 8 (00 08)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | SPI size: 0 (00)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | processing payload: ISAKMP_NEXT_v2N (len=0)
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | error notification v2N_NO_PROPOSAL_CHOSEN is not supported
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | selected state microcode roof
Feb 1 10:00:08 ubuntu2004 pluto[43388]: "fgcon1" #5: dropping unexpected CREATE_CHILD_SA message containing NO_PROPOSAL_CHOSEN notifi
cation; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr
Feb 1 10:00:08 ubuntu2004 pluto[43388]: | #5 complete_v2_state_transition() in state V2_REKEY_CHILD_I1 UNDEFINED->UNDEFINED with stat
us STF_FATAL; md.svm=NULL
Feb 1 10:00:08 ubuntu2004 pluto[43388]: "fgcon1" #5: encountered fatal error in state STATE_V2_REKEY_CHILD_I1
Ipsec config:
conn fgcon1
keyexchange=ike
ike="aes256-sha256-modp2048"
esp="aes256-sha256-modp2048"
leftcert=XXXX #Anonymised 😊
leftsendcert=always
leftrsasigkey=%cert
leftid=%fromcert
left=%defaultroute
leftmodecfgclient=yes
leftnexthop=%defaultroute
type=tunnel
pfs=no
aggressive=yes
ikev2=yes
right=X.X.X.X # Anonymised 😊
rightsubnet=192.168.110.30/32
leftsubnet=0.0.0.0/0
mark=5/0xffffffff # needs to be unique
ipsec-interface=1
rightid=%fromcert
rightrsasigkey=%cert
auto=start
salifetime = 30
ikelifetime = 30
encapsulation=yes
dpddelay=3
dpdtimeout=3
dpdaction=restart
metric=10
leftupdown=/usr/libexec/ipsec/_r2pupdown.rohit
Updown Script:
#!/bin/bash
set -eox pipefail
LC_ALL=C
export LC_ALL
IP=$(which ip)
IP_RULE_PRIORITY=100
case "${PLUTO_CONN_ADDRFAMILY}" in
ipv4)
FAMILY=4
MAX_CIDR=32
SCOPE=50
;;
ipv6)
FAMILY=6
MAX_CIDR=128
SCOPE=global
;;
*)
echo "unknown address family \"${PLUTO_CONN_ADDRFAMILY}\"" >&2
exit 1
;;
esac
printenv
case "${PLUTO_VERB}" in
up-client)
$IP -${FAMILY} addr add "${PLUTO_MY_CLIENT_NET}"/${MAX_CIDR} dev "${PLUTO_VIRT_INTERFACE}" scope ${SCOPE}
$IP -${FAMILY} route replace "${PLUTO_PEER}"/${MAX_CIDR} via "${PLUTO_NEXT_HOP}" dev "${PLUTO_INTERFACE}" table ${SCOPE}
$IP -${FAMILY} rule add prio ${IP_RULE_PRIORITY} to "${PLUTO_PEER_CLIENT}" fwmark "${PLUTO_XFRMI_FWMARK}" lookup ${SCOPE}
$IP -${FAMILY} route replace "${PLUTO_PEER_CLIENT}" metric "${PLUTO_METRIC}" dev "${PLUTO_VIRT_INTERFACE}" src "${PLUTO_MY_CLIENT_NET}"
;;
down-client)
$IP -${FAMILY} rule del fwmark "${PLUTO_XFRMI_FWMARK%/*}" || true
$IP -${FAMILY} addr flush dev "${PLUTO_VIRT_INTERFACE}" || true
$IP -${FAMILY} link del "${PLUTO_VIRT_INTERFACE}" || true
;;
esac
Med venlig hilsen / Best regards
Bo Osmann Erichsen
Seniorarkitekt
Mobil
Tlf.:
E-mail:
+45 2627 1342<tel:+45%202627%201342>
+45 7216 1999<tel:+45%207216%201999>
boe at mentor-it.dk<mailto:boe at mentor-it.dk>
[https://i-eu.xink.io/Images/Get/I6169/i81.jpg]
Esbjerg | Kolding | Aarhus | København
www.mentor-it.dk<https://www.mentor-it.dk> - Webshop<https://shop.mentor-it.dk> - Fjernsupport<https://get.teamviewer.com/mentor-it>
[https://i-eu.xink.io/Images/Get/I6169/f.png]<https://www.facebook.com/mentorit.dk> [https://i-eu.xink.io/Images/Get/I6169/i4.png] <https://www.linkedin.com/company/mentor-it>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210201/7310d6a3/attachment-0001.html>
More information about the Swan
mailing list