[Swan] libreswan upgrade on centos 7.9
Paul Wouters
paul.wouters at aiven.io
Tue Oct 26 16:50:57 UTC 2021
many issues were fixed, 3.15 is 6 years old. Please try to at least upgrade
to 3.32
Paul
On Tue, Oct 26, 2021 at 12:16 PM Frank Liu <gfrankliu at gmail.com> wrote:
> Thanks Paul!
> Just noticed the version we are running is 3.15 on Amazon Linux1. When the
> remote side (Cisco ASA) brings down the tunnel and back up again, libreswan
> can't recover (see below libreswan config), filling with errors:
>
> Oct 26 15:29:24: "asa/0x4" #58794: max number of retransmissions (8)
> reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
> message: perhaps peer likes no proposal
> Oct 26 15:29:24: "asa/0x4" #58794: starting keying attempt 11 of an
> unlimited number
> Oct 26 15:29:24: "asa/0x4" #58820: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to
> replace #58794 {using isakmp#58549 msgid:8e7129f2
> proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs}
> Oct 26 15:29:24: deleting state #58794 (STATE_QUICK_I1)
>
> Here is the libreswan 3.15 config. Is this a known issue fixed between
> 3.15 and latest?
>
> conn asa
> type=tunnel
> authby=secret
> left=...
> leftid=...
> leftsubnet=...
> right=...
> rightsubnets=...
> keyexchange=ike
> ikelifetime=86400s
> salifetime=28800s
> pfs=no
> auto=start
> dpddelay=10
> dpdtimeout=40
> dpdaction=restart
> aggrmode=no
> ike=aes256-sha1;modp1024
> phase2alg=aes256-sha1;modp1024
>
> Thanks!
> Frank
>
> On Tue, Oct 19, 2021 at 11:56 AM Paul Wouters <paul.wouters at aiven.io>
> wrote:
>
>> On Tue, 19 Oct 2021, Frank Liu wrote:
>>
>> > We are using libreswan 3.25 bundled with centos 7.9, having a tunnel
>> with Cisco ASA with DPD
>> > enabled. Occasionally, the tunnel stops working, and a manual restart
>> of libreswan will
>> > always be able to fix it.
>> >
>> > We are thinking of upgrading to the latest 4.5 from
>> > https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it
>> is more stable. Is 4.5 a
>> > simple drop-in upgrade to 3.25 if we do rpm -U?
>>
>> It should be, yes.
>>
>> Note some defaults did change which might require tweaking your config
>> files. A quick grep on the CHANGES file between 3.26 and 4.5 show:
>>
>> * pluto: Change default ikelifetime from 1h to 8h [Paul]
>> * pluto: change default IKE SA lifetime from 1h to 8h [Paul]
>> * IKEv2: Remove SHA1 from default proposal list [Paul]
>> * IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig
>> [Sahana]
>> * pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul]
>> * IKE: Change default connection from IKEv1 to IKEv2 [Paul]
>>
>> If you did not set ike2= before, meaning you were using IKEv1, you need
>> to add ikev2=no
>>
>> Paul
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211026/a031887c/attachment.html>
More information about the Swan
mailing list