[Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk

António Silva asilva at wirelessmundi.com
Fri Oct 14 10:06:10 EEST 2022 

Thanks Paul!

--
Saludos / Regards / Cumprimentos
António Silva




> On 13 Oct 2022, at 22:07, Paul Wouters <paul at nohats.ca> wrote:
> 
> We will release 4.9 to address this regression in the next day or so
> 
> Sent using a virtual keyboard on a phone
> 
>> On Oct 13, 2022, at 10:29, António Silva <asilva at wirelessmundi.com> wrote:
>> 
>> 
>> 
>> Hi,
>> 
>> I just update libreswan from version 4.7 to 4.8, but with the newest version I can’t establish a connection whit current configuration, it exit with status 134.
>> Just revert to version 4.7 and everything working ok.
>> 
>> 
>> 
>> The log when trying to connect:
>> 
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding to Main Mode from unknown peer 16.138.17.119:500
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R2
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.60'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to "tunnel8"[2] 16.138.17.119
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file authentication method requested to authenticate user 'asilvapt at mad.lab <mailto:asilvapt at mad.lab>'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: success user(asilvapt at mad.lab <mailto:asilvapt at mad.lab>:(null))
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User asilvapt at mad.lab <mailto:asilvapt at mad.lab>: Authentication Successful
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: xauth_inR1(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> 
>> Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: modecfg_inR0(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: |   checking hostpair 0.0.0.0/0 -> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding to Quick Mode proposal {msgid:537d8833}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2:     us: 0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C]  them: 16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 /programs/pluto/ikev1_quick.c)
>> Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!:  exited with error status 134 (signal 6)
>> Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...
>> 
>> 
>> 
>> Server configuration: 
>> conn tunnel8-aggr
>> 	aggrmode=yes
>> 	also=tunnel8
>> 
>> conn tunnel8
>> 	pfs=no
>> 	type=tunnel
>> 	auto=add
>> 	ikev2=no
>> 	phase2=esp
>> 	authby=secret
>> 	keyingtries=3
>> 	ikelifetime=24h
>> 	salifetime=24h
>> 	left=82.100.227.27
>> 	leftsubnet=0.0.0.0/0
>> 	leftid=@xauth.lab <mailto:leftid=@xauth.lab>
>> 	right=%any
>> 	rightid=%any
>> 	rightaddresspool=192.168.20.100-192.168.20.254
>> 	dpddelay=30
>> 	dpdtimeout=300
>> 	dpdaction=clear
>> 	leftxauthserver=yes
>> 	rightxauthclient=yes
>> 	leftmodecfgserver=yes
>> 	rightmodecfgclient=yes
>> 	modecfgpull=yes
>> 	fragmentation=yes
>> 	xauthby=file
>> 
>> 
>> 
>> 
>> Cliente configuration (using libreswan 4.5)
>> conn tunnel1
>> 	pfs=no
>> 	type=tunnel
>> 	auto=start
>> 	ikev2=no
>> 	phase2=esp
>> 	authby=secret
>> 	keyingtries=3
>> 	ikelifetime=8h
>> 	salifetime=8h
>> 	left=192.168.1.60
>> 	leftnexthop=16.138.17.119
>> 	right=xauth.lab
>> 	rightsubnet=192.168.20.0/24
>> 	rightid=@xauth.lab <mailto:rightid=@xauth.lab>
>> 	dpddelay=30
>> 	dpdtimeout=300
>> 	dpdaction=restart
>> 	leftxauthclient=yes
>> 	leftmodecfgclient=yes
>> 	leftusername=asilvapt at mad.lab <mailto:leftusername=asilvapt at mad.lab>
>> 	modecfgpull=yes
>> 	fragmentation=yes
>> 	ipsec-interface=yes
>> 
>> 
>> Thanks for the help.
>> 
>> Regards,
>> Antonio
>> 
>> 
>> 
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221014/529bdfe7/attachment-0001.htm>

More information about the Swan mailing list