[Swan] multinet with ikev2 not working
Paul Wouters
paul at nohats.ca
Mon Aug 22 19:20:05 EEST 2022
On Mon, 22 Aug 2022, Peter Viskup wrote:
> [root at prd01a ipsec.d]# ipsec auto --up sp1
> 002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting proposals):
> 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384;ESN=DISABLED
> 139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
> 003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads: N;
> missing payloads: SA,Ni,TSi,TSr
Looks like your other end does not like your PFS or DH group size?
> Configuration is similar to this (rightsubnets):
> conn sp1
> hostaddrfamily=ipv4
> clientaddrfamily=ipv4
> right=1.2.3.4
> rightsubnet=10.10.10.0/24
> #rightsubnets={10.10.10.0/24 10.20.20.0/24}
> left=100.64.7.8
> leftsubnet=100.64.7.0/24
> #ikev2
> leftauth=secret
> rightauth=secret
> ikev2=insist
> ike=aes256-sha256;dh20
> esp=aes256-sha256;dh20
Does the other end not like dh20?
Does the other end not like pfs=yes? Try pfs=no to see what happens
then?
> The multinet testconfigurations have the "ikev2=no"
> libreswan/east.conf at main · libreswan/libreswan · GitHub
Likely just because it was an IKEv1 test and we kept it the same. There
should be an equivalent ikev2 test, or we should add one :)
Paul
More information about the Swan
mailing list