[Swan] Lost IKEv1 connectivity after libreswan upgrade

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Wed Nov 24 16:23:46 EET 2021


P.S.

It seems that IPSEC is established, and a transport connection:

Nov 24 15:16:18.322599: | pstats #14 ikev1.ipsec established
Nov 24 15:16:18.322609: | NAT-T: encaps is 'auto'
Nov 24 15:16:18.322617: "L2TP-PSK-noNAT"[7] 193.198.186.218 #14: 
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xbd9d07f4 
<0x935a0ca5 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD

but then, after receiving first encrypted packet, pluto spuriously 
decides to delete, "down" the connection and "unroute" it:

Nov 24 15:16:53.359857: | State DB: found IKEv1 state #13 in MAIN_R3 
(find_v1_info_state)
Nov 24 15:16:53.359876: | start processing: state #13 connection 
"L2TP-PSK-noNAT"[7] 193.198.186.218 from 193.198.186.218:500 (in 
process_v1_packet() at ikev1.c:1347)
Nov 24 15:16:53.359946: | #13 is idle
Nov 24 15:16:53.359963: | #13 idle
Nov 24 15:16:53.359977: | received encrypted packet from 193.198.186.218:500
Nov 24 15:16:53.360029: | got payload 0x100  (ISAKMP_NEXT_HASH) needed: 
0x100 opt: 0x0
Nov 24 15:16:53.360046: | ***parse ISAKMP Hash Payload:
Nov 24 15:16:53.360056: |    next payload type: ISAKMP_NEXT_D (0xc)
Nov 24 15:16:53.360067: |    length: 24 (00 18)
Nov 24 15:16:53.360080: | got payload 0x1000  (ISAKMP_NEXT_D) needed: 
0x0 opt: 0x0
Nov 24 15:16:53.360090: | ***parse ISAKMP Delete Payload:
Nov 24 15:16:53.360103: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Nov 24 15:16:53.360113: |    length: 16 (00 10)
Nov 24 15:16:53.360122: |    DOI: ISAKMP_DOI_IPSEC (0x1)
Nov 24 15:16:53.360133: |    protocol ID: 3 (03)
Nov 24 15:16:53.360145: |    SPI size: 4 (04)
Nov 24 15:16:53.360156: |    number of SPIs: 1 (00 01)
Nov 24 15:16:53.360168: | removing 8 bytes of padding
Nov 24 15:16:53.360246: | informational HASH(1):
Nov 24 15:16:53.360263: |   2d d3 57 39  ab 57 ef 6d  30 6a 00 36 cc 47 
23 57
Nov 24 15:16:53.360274: |   88 1e 35 78
Nov 24 15:16:53.360284: | received 'informational' message HASH(1) data ok
Nov 24 15:16:53.360295: | parsing 4 raw bytes of ISAKMP Delete Payload 
into SPI
Nov 24 15:16:53.360303: | SPI
Nov 24 15:16:53.360330: |   bd 9d 07 f4
Nov 24 15:16:53.360339: | FOR_EACH_STATE_... in find_phase2_state_to_delete
Nov 24 15:16:53.360358: | start processing: connection 
"L2TP-PSK-noNAT"[7] 193.198.186.218 (BACKGROUND) (in accept_delete() at 
ikev1_main.c:2488)
Nov 24 15:16:53.360377: "L2TP-PSK-noNAT"[7] 193.198.186.218 #13: 
received Delete SA(0xbd9d07f4) payload: deleting IPsec State #14
Nov 24 15:16:53.360393: | pstats #14 ikev1.ipsec deleted completed

I seem to be stuck here, I don't know how to debug connection.

Please help.

Kind regards,

Mirsad Todorovac

On 11/24/2021 2:42 PM, Mirsad Goran Todorovac wrote:
>
> Dear Mr. Wouters,
>
> I have upgraded libreswan to enable bug fixes from an earlier email 
> I've sent.
> Now I've lost even the basic IKEv1 L2TP over IPSEC PSK connectivity. 
> This is very embarrassing as I've
> spent four days and I have nothing to show to superiors.
>
> Please help if you can.
>
> It seems that PSK is accepted and verified, IPSEC session established 
> and transport connection brought up,
> but I can't seem to realize from the pluto session log what went wrong.
>
> Here is my "/etc/ipsec.d/l2tp-psk.conf":
>
> # conn L2TP-PSK-NAT
> #         rightsubnet=vhost:%priv
> #         also=L2TP-PSK-common
>
> conn L2TP-PSK-noNAT
>         rightsubnet=vhost:%no
>        also=L2TP-PSK-common
>
> conn L2TP-PSK-common
>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         # we cannot rekey for %any, let client rekey
>         rekey=no
>         # Apple iOS doesn't send delete notify so we need dead peer 
> detection
>         # to detect vanishing clients
>         dpddelay=10
>         dpdtimeout=30
>         dpdaction=clear
>         # Set ikelifetime and keylife to same defaults windows has
>         ikelifetime=8h
>         keylife=1h
>         ikev2=never
>         # l2tp-over-ipsec is transport mode
>         type=transport
>         #
>         # left will be filled in automatically with the local address 
> of the default-route interface (as determined at IPsec startup time).
>         left=%defaultroute
>         #
>         # For updated Windows 2000/XP clients,
>         # to support old clients as well, use leftprotoport=17/%any
>         leftprotoport=17/1701
>         #
>         # The remote user.
>         #
>         right=%any
>         # Using the magic port of "%any" means "any one single port". 
> This is
>         # a work around required for Apple OSX clients that use a randomly
>         # high port.
>         rightprotoport=17/%any
>
> The error reported is:
>
> The pluto session log is: 
> https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log
>
> Once again, thank you for the previous advice and the VPN connection 
> started working.
> Then I tried to enable IKEv2 with certificates, and upgraded to 
> libreswan-4.5 to get to bug fix.
> Now I am trying the latest 3.x version, 3.32, but no luck.
>
> Thank you very much for all help.
> I am reading the ipsec.conf.5 manual, but it will take some time 
> before my learning curve adapts. :-(
>
> Kind regards,
> Mirsad Todorovac
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
> --
> CARNet system engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/5686d524/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vaAxE0xA2ETnUKsy.png
Type: image/png
Size: 41646 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/5686d524/attachment-0001.png>


More information about the Swan mailing list