[Swan] USE_DH2 Re: Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Paul Wouters paul at nohats.ca
Fri Jan 14 22:59:03 EET 2022


On Fri, 14 Jan 2022, Mirsad Goran Todorovac wrote:

>>  whether you compile USE_DH2 in or not should not make a difference,
>>  unless you are changing the ike= or esp=/phase2alg= line to include
>>  modp1024 (which you shouldn't).
>
> Experiment proves otherwise. I have made two parallel compiles, USE_DH2=true 
> and USE_DH2=false. Then `make install; ipsec restart` from each directory, 
> each time attempting to connect L2TP with PSK from Android 11 native client. 
> The result is interesting: USE_DH2=false version could not connect, and the 
> othe one could.
>
> Proof of the concept is in the logs (as the proverb sayeth "if the goat is 
> lying, the horn isnt" :)
>
> [1] https://domac.alu.hr/mtodorov/l2tp-20220114-dh2=true-01.log (connected)

Jan 14 21:26:14.344385: |    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
Jan 14 21:26:14.344392: |    length/value: 2 (00 02)
Jan 14 21:26:14.344401: |    [2 is OAKLEY_GROUP_MODP1024]
Jan 14 21:26:14.344409: | OAKLEY proposal verified unconditionally; no alg_info to check against
Jan 14 21:26:14.344417: | Oakley Transform 1 accepted

You accepted modp1024/dh2, but:

v3.19 (January 15, 2017)
[...]
* pluto: drop modp1024 (DH2) from IKEv1 "ike=" default list [Andrew]

So you must have had an ike= line in your config. If you do, then indeed
it would work, but the unmodified config would also fail to load the
connection if it tried to add dh2 to its valid options.

> [2] https://domac.alu.hr/mtodorov/l2tp-20220114-nodh2-01.log (unsuccessful)

Jan 14 21:22:05.126170: | ******parse ISAKMP Oakley attribute:
Jan 14 21:22:05.126178: |    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
Jan 14 21:22:05.126201: |    length/value: 2 (00 02)
Jan 14 21:22:05.126211: |    [2 is OAKLEY_GROUP_MODP1024]
Jan 14 21:22:05.126225: "L2TP-PSK-NAT"[1] 94.253.210.164 #2: OAKLEY_GROUP 2 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Your connection however loaded, so it must NOT have specified dh2 in
ike= or it would have failed to load, and with no L2TP-PSK-NAT
connection loaded would get a different error (NO_PROPOSAL_CHOSEN)

Paul


More information about the Swan mailing list