[Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk
António Silva
asilva at wirelessmundi.com
Fri Oct 14 10:06:10 EEST 2022
Thanks Paul!
--
Saludos / Regards / Cumprimentos
António Silva
> On 13 Oct 2022, at 22:07, Paul Wouters <paul at nohats.ca> wrote:
>
> We will release 4.9 to address this regression in the next day or so
>
> Sent using a virtual keyboard on a phone
>
>> On Oct 13, 2022, at 10:29, António Silva <asilva at wirelessmundi.com> wrote:
>>
>>
>>
>> Hi,
>>
>> I just update libreswan from version 4.7 to 4.8, but with the newest version I can’t establish a connection whit current configuration, it exit with status 134.
>> Just revert to version 4.7 and everything working ok.
>>
>>
>>
>> The log when trying to connect:
>>
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding to Main Mode from unknown peer 16.138.17.119:500
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode R2
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.60'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to "tunnel8"[2] 16.138.17.119
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file authentication method requested to authenticate user 'asilvapt at mad.lab <mailto:asilvapt at mad.lab>'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: success user(asilvapt at mad.lab <mailto:asilvapt at mad.lab>:(null))
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User asilvapt at mad.lab <mailto:asilvapt at mad.lab>: Authentication Successful
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: xauth_inR1(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>>
>> Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing address pool from 0 to 1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: modecfg_inR0(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: | checking hostpair 0.0.0.0/0 -> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding to Quick Mode proposal {msgid:537d8833}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: us: 0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C] them: 16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 /programs/pluto/ikev1_quick.c)
>> Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!: exited with error status 134 (signal 6)
>> Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...
>>
>>
>>
>> Server configuration:
>> conn tunnel8-aggr
>> aggrmode=yes
>> also=tunnel8
>>
>> conn tunnel8
>> pfs=no
>> type=tunnel
>> auto=add
>> ikev2=no
>> phase2=esp
>> authby=secret
>> keyingtries=3
>> ikelifetime=24h
>> salifetime=24h
>> left=82.100.227.27
>> leftsubnet=0.0.0.0/0
>> leftid=@xauth.lab <mailto:leftid=@xauth.lab>
>> right=%any
>> rightid=%any
>> rightaddresspool=192.168.20.100-192.168.20.254
>> dpddelay=30
>> dpdtimeout=300
>> dpdaction=clear
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> fragmentation=yes
>> xauthby=file
>>
>>
>>
>>
>> Cliente configuration (using libreswan 4.5)
>> conn tunnel1
>> pfs=no
>> type=tunnel
>> auto=start
>> ikev2=no
>> phase2=esp
>> authby=secret
>> keyingtries=3
>> ikelifetime=8h
>> salifetime=8h
>> left=192.168.1.60
>> leftnexthop=16.138.17.119
>> right=xauth.lab
>> rightsubnet=192.168.20.0/24
>> rightid=@xauth.lab <mailto:rightid=@xauth.lab>
>> dpddelay=30
>> dpdtimeout=300
>> dpdaction=restart
>> leftxauthclient=yes
>> leftmodecfgclient=yes
>> leftusername=asilvapt at mad.lab <mailto:leftusername=asilvapt at mad.lab>
>> modecfgpull=yes
>> fragmentation=yes
>> ipsec-interface=yes
>>
>>
>> Thanks for the help.
>>
>> Regards,
>> Antonio
>>
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221014/529bdfe7/attachment-0001.htm>
More information about the Swan
mailing list