[Swan] The issue of connecting to Libreswan VPN from Android

Paul Wouters paul at nohats.ca
Fri Dec 9 17:35:52 EET 2022 

On Wed, 7 Dec 2022, OBETalk?????? wrote:

> Date: Wed, 7 Dec 2022 04:57:50
> From: OBETalk?????? <kevincyq_chenyangqin at foxmail.com>
> To: swan <swan at lists.libreswan.org>
> Subject: [Swan] The issue of connecting to Libreswan VPN from Android
> 
> Dears,
> 
> There's a big issue of Android phone connecting to Libreswan deployed on Ubuntu 18.04 which is based on AWS
> EC2 recently. But the connection was successful before August 2022. Neither Xauth-PSK nor L2TP/IPSec PSK
> works. I can't find the right answer from those troubleshoot blogs online.
> Can anyone help answer how to fix this problem, please?

> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: WARNING: connection xauth-psk
> PSK length of 20 bytes is too short for HMAC_SHA2_384 PRF in FIPS mode (24 bytes required)

A big warning on your PSK. It is waaaay to short. Strongly recommend to
replace it with a longer one.

> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (256),
> HMAC_SHA2_384, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (256),
> HMAC_SHA2_256, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: WARNING: connection xauth-psk
> PSK length of 20 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (256),
> HMAC_SHA2_512, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (256),
> HMAC_SHA1, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (256),
> HMAC_MD5, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: WARNING: connection xauth-psk
> PSK length of 20 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (128),
> HMAC_SHA2_512, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: WARNING: connection xauth-psk
> PSK length of 20 bytes is too short for HMAC_SHA2_384 PRF in FIPS mode (24 bytes required)
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (128),
> HMAC_SHA2_384, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (128),
> HMAC_SHA2_256, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (128),
> HMAC_SHA1, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [AES_CBC (128),
> HMAC_MD5, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [3DES_CBC
> (192), HMAC_SHA2_256, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [3DES_CBC
> (192), HMAC_SHA1, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: Oakley Transform [3DES_CBC
> (192), HMAC_MD5, MODP1024] refused
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: OAKLEY_DES_CBC(UNUSED) is not
> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: message repeated 2 times: [ "xauth-psk"[1] 223.104.68.17 #1:
> OAKLEY_DES_CBC(UNUSED) is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM]
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: no acceptable Oakley Transform
> Dec  7 09:24:12 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: sending notification
> NO_PROPOSAL_CHOSEN to 223.104.68.17:56380
> Dec  7 09:24:15 ip-172-31-6-48 pluto[3269]: "xauth-psk"[1] 223.104.68.17 #1: discarding initial packet;
> already STATE_MAIN_R0


All of these proposals use MODP1024 (aka DiffieHellman group 2). This is
no longer allowed by libreswan. RFC 8247 says:

https://www.rfc-editor.org/rfc/rfc8247#section-2.4

    Group 2 or the 1024-bit MODP Group has been downgraded from MUST- in
    RFC 4307 to SHOULD NOT.  It is known to be weak against sufficiently
    funded attackers using commercially available mass-computing
    resources, so its security margin is considered too narrow.  It is
    expected in the near future to be downgraded to MUST NOT.


You need to upgrade your configurations, as either your local libreswan
install got updated with a version not allowing this, or your peer got
updated to no longer allow this.

If you are using this VPN in any way that involves someone's safety
regarding a nation state actor, consider that the VPN had already been
compromised because it was so weak.

Paul

More information about the Swan mailing list