[Swan] libreswan upgrade on centos 7.9

Tue Oct 26 16:16:41 UTC 2021

Thanks Paul!
Just noticed the version we are running is 3.15 on Amazon Linux1. When the
remote side (Cisco ASA) brings down the tunnel and back up again, libreswan
can't recover (see below libreswan config), filling with errors:

Oct 26 15:29:24: "asa/0x4" #58794: max number of retransmissions (8)
reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
Oct 26 15:29:24: "asa/0x4" #58794: starting keying attempt 11 of an
unlimited number
Oct 26 15:29:24: "asa/0x4" #58820: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to
replace #58794 {using isakmp#58549 msgid:8e7129f2
proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
Oct 26 15:29:24: deleting state #58794 (STATE_QUICK_I1)

Here is the libreswan 3.15 config. Is this a known issue fixed between 3.15
and latest?

conn asa
        type=tunnel
        authby=secret
        left=...
        leftid=...
        leftsubnet=...
        right=...
        rightsubnets=...
        keyexchange=ike
        ikelifetime=86400s
        salifetime=28800s
        pfs=no
        auto=start
        dpddelay=10
        dpdtimeout=40
        dpdaction=restart
        aggrmode=no
        ike=aes256-sha1;modp1024
        phase2alg=aes256-sha1;modp1024

Thanks!
Frank

On Tue, Oct 19, 2021 at 11:56 AM Paul Wouters <paul.wouters at aiven.io> wrote:

> On Tue, 19 Oct 2021, Frank Liu wrote:
>
> > We are using libreswan 3.25 bundled with centos 7.9, having a tunnel
> with Cisco ASA with DPD
> > enabled. Occasionally, the tunnel stops working, and a manual restart of
> libreswan will
> > always be able to fix it.
> >
> > We are thinking of upgrading to the latest 4.5 from
> > https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it is
> more stable. Is 4.5 a
> > simple drop-in upgrade to 3.25 if we do rpm -U?
>
> It should be, yes.
>
> Note some defaults did change which might require tweaking your config
> files. A quick grep on the CHANGES file between 3.26 and 4.5 show:
>
> * pluto: Change default ikelifetime from 1h to 8h [Paul]
> * pluto: change default IKE SA lifetime from 1h to 8h [Paul]
> * IKEv2: Remove SHA1 from default proposal list [Paul]
> * IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig
> [Sahana]
> * pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
> * IKE: Change default connection from IKEv1 to IKEv2 [Paul]
>
> If you did not set ike2= before, meaning you were using IKEv1, you need
> to add ikev2=no
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211026/1271d4ba/attachment.html>