[Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk

António Silva asilva at wirelessmundi.com
Thu Oct 13 17:35:58 EEST 2022 

 Found a commit that could be the fix for this issue:

https://github.com/libreswan/libreswan/commit/bfd380014944b7efb3fbc181129bd34769993d3f

Trying it now.


--
Saludos / Regards / Cumprimentos
António Silva




> On 13 Oct 2022, at 15:29, António Silva <asilva at wirelessmundi.com> wrote:
> 
> 
> Hi,
> 
> I just update libreswan from version 4.7 to 4.8, but with the newest version I can’t establish a connection whit current configuration, it exit with status 134.
> Just revert to version 4.7 and everything working ok.
> 
> 
> 
> The log when trying to connect:
> 
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding to Main Mode from unknown peer 16.138.17.119:500
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R1
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R2
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.60'
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to "tunnel8"[2] 16.138.17.119
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file authentication method requested to authenticate user 'asilvapt at mad.lab <mailto:asilvapt at mad.lab>'
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: success user(asilvapt at mad.lab <mailto:asilvapt at mad.lab>:(null))
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User asilvapt at mad.lab <mailto:asilvapt at mad.lab>: Authentication Successful
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: xauth_inR1(STF_OK)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> 
> Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: modecfg_inR0(STF_OK)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: |   checking hostpair 0.0.0.0/0 -> 192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding to Quick Mode proposal {msgid:537d8833}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2:     us: 0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C]  them: 16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 /programs/pluto/ikev1_quick.c)
> Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!:  exited with error status 134 (signal 6)
> Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...
> 
> 
> 
> Server configuration: 
> conn tunnel8-aggr
> 	aggrmode=yes
> 	also=tunnel8
> 
> conn tunnel8
> 	pfs=no
> 	type=tunnel
> 	auto=add
> 	ikev2=no
> 	phase2=esp
> 	authby=secret
> 	keyingtries=3
> 	ikelifetime=24h
> 	salifetime=24h
> 	left=82.100.227.27
> 	leftsubnet=0.0.0.0/0
> 	leftid=@xauth.lab <mailto:leftid=@xauth.lab>
> 	right=%any
> 	rightid=%any
> 	rightaddresspool=192.168.20.100-192.168.20.254
> 	dpddelay=30
> 	dpdtimeout=300
> 	dpdaction=clear
> 	leftxauthserver=yes
> 	rightxauthclient=yes
> 	leftmodecfgserver=yes
> 	rightmodecfgclient=yes
> 	modecfgpull=yes
> 	fragmentation=yes
> 	xauthby=file
> 
> 
> 
> 
> Cliente configuration (using libreswan 4.5)
> conn tunnel1
> 	pfs=no
> 	type=tunnel
> 	auto=start
> 	ikev2=no
> 	phase2=esp
> 	authby=secret
> 	keyingtries=3
> 	ikelifetime=8h
> 	salifetime=8h
> 	left=192.168.1.60
> 	leftnexthop=16.138.17.119
> 	right=xauth.lab
> 	rightsubnet=192.168.20.0/24
> 	rightid=@xauth.lab <mailto:rightid=@xauth.lab>
> 	dpddelay=30
> 	dpdtimeout=300
> 	dpdaction=restart
> 	leftxauthclient=yes
> 	leftmodecfgclient=yes
> 	leftusername=asilvapt at mad.lab <mailto:leftusername=asilvapt at mad.lab>
> 	modecfgpull=yes
> 	fragmentation=yes
> 	ipsec-interface=yes
> 
> 
> Thanks for the help.
> 
> Regards,
> Antonio
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221013/39038d32/attachment-0001.htm>

More information about the Swan mailing list