[Swan] Question: IKEv2 with RSAsig: Invalid payload received

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Wed Nov 24 23:12:56 EET 2021


Dear Sir,

I have proceeded to configure IKEv2 auth according to your advice, as 
even the libreswan.org website wiki says
that L2TP is legacy and to be avoided for new connections. It became 
clear that I will have to manually setup
each user's laptop or mobile device as I can neither memorize nor 
publish the 32 key PSK I use (as it is recommended
for security).

However, my IKEv2 conn with RSA reports an error. I have had problems 
with wrong policy and (since modp1024 is no longer allowed in libreswan 
v3.32) enabled the 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 
registry key in Windows 10 according to instructions here: 
https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#A-Authentication-using-X509-Machine-Certificates 
.

The error I receive now is:

The IKEv2 conn setup is here:

conn MYCONN-ikev2-cp
         # The server's actual IP goes here - not elastic IPs
         left=161.53.235.3
         leftcert=vpn.alu.hr
leftid=@vpn.alu.hr
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         leftrsasigkey=%cert
         # Clients
         right=%any
         # your addresspool to use - you might need NAT rules if 
providing full internet to clients
         rightaddresspool=192.168.100.10-192.168.100.253
         # optional rightid with restrictions
         rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*, 
CN=*, E=*"
         rightca=%same
         rightrsasigkey=%cert
         #
         # connection configuration
         # DNS servers for clients to use
         modecfgdns=8.8.8.8,192.168.100.1
         # Versions up to 3.22 used modecfgdns1 and modecfgdns2
         #modecfgdns1=8.8.8.8
         #modecfgdns2=193.110.157.123
         narrowing=yes
         # recommended dpd/liveness to cleanup vanished clients
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         auto=add
         ikev2=insist
         rekey=no
         # ikev2 fragmentation support requires libreswan 3.14 or newer
         fragmentation=yes
         # optional PAM username verification (eg to implement bandwidth 
quota
         # pam-authorize=yes

The session log is: 
https://domac.alu.hr/mtodorov/ikev2-v3.32-20211124-07.log

The most notable error is:

Nov 24 22:05:52.272134: | [RE]START processing: state #1 connection 
"MYCONN-ikev2-cp"[1] 188.252.255.83 from 188.252.255.83:500 (in 
complete_v2_state_transition() at ikev2.c:3235)
Nov 24 22:05:52.272145: | #1 complete_v2_state_transition() PARENT_R1 -> 
PARENT_R1 with status STF_FATAL
Nov 24 22:05:52.272158: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1: 
encountered fatal error in state STATE_PARENT_R1
Nov 24 22:05:52.272167: | Message ID: exchange zombie as no response?
Nov 24 22:05:52.272177: | release_pending_whacks: state #1 has no whack fd
Nov 24 22:05:52.272186: | pstats #1 ikev2.ike deleted other
Nov 24 22:05:52.272198: | #1 spent 13.2 milliseconds in total
Nov 24 22:05:52.272213: | [RE]START processing: state #1 connection 
"MYCONN-ikev2-cp"[1] 188.252.255.83 from 188.252.255.83:500 (in 
delete_state() at state.c:944)
Nov 24 22:05:52.272227: "MYCONN-ikev2-cp"[1] 188.252.255.83 #1: deleting 
state (STATE_PARENT_R1) aged 0.031s and NOT sending notification
Nov 24 22:05:52.272237: | parent state #1: PARENT_R1(half-open IKE SA) 
=> delete

At this point Googling didn't help and I am stuck.

Do you please have an idea of what should I try next?

Kind regards,
Mirsad Todorovac

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c3794063/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AfLbfQpUTIE5NWYr.png
Type: image/png
Size: 5165 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c3794063/attachment.png>


More information about the Swan mailing list