[Swan] multinet with ikev2 not working

Mon Aug 22 19:20:05 EEST 2022

On Mon, 22 Aug 2022, Peter Viskup wrote:

> [root at prd01a ipsec.d]# ipsec auto --up sp1
> 002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384;ESN=DISABLED
> 139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
> 003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N;
> missing payloads: SA,Ni,TSi,TSr

Looks like your other end does not like your PFS or DH group size?

> Configuration is similar to this (rightsubnets):
> conn sp1
>         hostaddrfamily=ipv4
>         clientaddrfamily=ipv4
>         right=1.2.3.4
>         rightsubnet=10.10.10.0/24
>         #rightsubnets={10.10.10.0/24 10.20.20.0/24}
>         left=100.64.7.8
>         leftsubnet=100.64.7.0/24
>         #ikev2
>         leftauth=secret
>         rightauth=secret
>         ikev2=insist
>         ike=aes256-sha256;dh20
>         esp=aes256-sha256;dh20

Does the other end not like dh20?
Does the other end not like pfs=yes? Try pfs=no to see what happens
then?

> The multinet testconfigurations have the "ikev2=no"
> libreswan/east.conf at main · libreswan/libreswan · GitHub 

Likely just because it was an IKEv1 test and we kept it the same. There
should be an equivalent ikev2 test, or we should add one :)

Paul