[Swan] multinet with ikev2 not working

Peter Viskup peter.viskup at gmail.com
Mon Aug 22 18:54:34 EEST 2022 

Just trying to configure multinet IPSec VPN tunnel, but with no success.

The configuration with either of these subnets is working fine, but when
trying to bring up both sharing the IPSec SA, it does not work and I get
messages like these for the second connection:

[root at prd01a ipsec.d]# ipsec auto --up sp1
002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384;ESN=DISABLED
139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr
010 "sp1" #94: STATE_V2_CREATE_I: retransmission; will wait 0.5 seconds for
response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr
010 "sp1" #94: STATE_V2_CREATE_I: retransmission; will wait 1 seconds for
response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr

Configuration is similar to this (rightsubnets):
conn sp1
        hostaddrfamily=ipv4
        clientaddrfamily=ipv4
        right=1.2.3.4
        rightsubnet=10.10.10.0/24
        #rightsubnets={10.10.10.0/24 10.20.20.0/24}
        left=100.64.7.8
        leftsubnet=100.64.7.0/24
        #ikev2
        leftauth=secret
        rightauth=secret
        ikev2=insist
        ike=aes256-sha256;dh20
        esp=aes256-sha256;dh20
        remote_peer_type=cisco
        salifetime=24h
        ikelifetime=24h
        dpdaction=restart
        dpdtimeout=60
        dpddelay=30
        auto=add

Is there anything I am missing or just not supported?
Server is running quite old SW on CentOS7 on the other side there is Cisco
ASA5555.
$ ipsec version
Linux Libreswan 3.25 (netkey) on 3.10.0-1160.el7.x86_64

The multinet testconfigurations have the "ikev2=no"
libreswan/east.conf at main · libreswan/libreswan · GitHub
<https://github.com/libreswan/libreswan/blob/main/testing/pluto/multinet-04/east.conf#L14>

not sure why.

Thank you for your hints.

Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220822/60cfbc26/attachment.htm>

More information about the Swan mailing list