[Swan] multinet with ikev2 not working

Paul Wouters paul at nohats.ca
Mon Aug 22 19:20:05 EEST 2022

On Mon, 22 Aug 2022, Peter Viskup wrote:

> [root at prd01a ipsec.d]# ipsec auto --up sp1
> 002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting proposals):
> 139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
> 003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N;
> missing payloads: SA,Ni,TSi,TSr

Looks like your other end does not like your PFS or DH group size?

> Configuration is similar to this (rightsubnets):
> conn sp1
>         hostaddrfamily=ipv4
>         clientaddrfamily=ipv4
>         right=
>         rightsubnet=
>         #rightsubnets={}
>         left=
>         leftsubnet=
>         #ikev2
>         leftauth=secret
>         rightauth=secret
>         ikev2=insist
>         ike=aes256-sha256;dh20
>         esp=aes256-sha256;dh20

Does the other end not like dh20?
Does the other end not like pfs=yes? Try pfs=no to see what happens

> The multinet testconfigurations have the "ikev2=no"
> libreswan/east.conf at main · libreswan/libreswan · GitHub 

Likely just because it was an IKEv1 test and we kept it the same. There
should be an equivalent ikev2 test, or we should add one :)


More information about the Swan mailing list