[Swan] libreswan upgrade on centos 7.9
Frank Liu
gfrankliu at gmail.com
Tue Oct 26 16:16:41 UTC 2021
Thanks Paul!
Just noticed the version we are running is 3.15 on Amazon Linux1. When the
remote side (Cisco ASA) brings down the tunnel and back up again, libreswan
can't recover (see below libreswan config), filling with errors:
Oct 26 15:29:24: "asa/0x4" #58794: max number of retransmissions (8)
reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Oct 26 15:29:24: "asa/0x4" #58794: starting keying attempt 11 of an
unlimited number
Oct 26 15:29:24: "asa/0x4" #58820: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to
replace #58794 {using isakmp#58549 msgid:8e7129f2
proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Oct 26 15:29:24: deleting state #58794 (STATE_QUICK_I1)
Here is the libreswan 3.15 config. Is this a known issue fixed between 3.15
and latest?
conn asa
type=tunnel
authby=secret
left=...
leftid=...
leftsubnet=...
right=...
rightsubnets=...
keyexchange=ike
ikelifetime=86400s
salifetime=28800s
pfs=no
auto=start
dpddelay=10
dpdtimeout=40
dpdaction=restart
aggrmode=no
ike=aes256-sha1;modp1024
phase2alg=aes256-sha1;modp1024
Thanks!
Frank
On Tue, Oct 19, 2021 at 11:56 AM Paul Wouters <paul.wouters at aiven.io> wrote:
> On Tue, 19 Oct 2021, Frank Liu wrote:
>
> > We are using libreswan 3.25 bundled with centos 7.9, having a tunnel
> with Cisco ASA with DPD
> > enabled. Occasionally, the tunnel stops working, and a manual restart of
> libreswan will
> > always be able to fix it.
> >
> > We are thinking of upgrading to the latest 4.5 from
> > https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it is
> more stable. Is 4.5 a
> > simple drop-in upgrade to 3.25 if we do rpm -U?
>
> It should be, yes.
>
> Note some defaults did change which might require tweaking your config
> files. A quick grep on the CHANGES file between 3.26 and 4.5 show:
>
> * pluto: Change default ikelifetime from 1h to 8h [Paul]
> * pluto: change default IKE SA lifetime from 1h to 8h [Paul]
> * IKEv2: Remove SHA1 from default proposal list [Paul]
> * IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig
> [Sahana]
> * pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
> * IKE: Change default connection from IKEv1 to IKEv2 [Paul]
>
> If you did not set ike2= before, meaning you were using IKEv1, you need
> to add ikev2=no
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211026/1271d4ba/attachment.html>
More information about the Swan
mailing list