[Swan] Regression in IPv4 Connectivity from Windows 10 Client

Andrew Cagney cagney at gnu.org
Mon Dec 19 02:25:59 EET 2022 

Hi,

We've made significant progress with combined IPv[46] support.  Would you
be interested in trying things out with a windows client?  To enable this
just specify both IPv4 and IPv6, something like:
   rightsubnet=2001:db8:0:2::/64,192.0.2.0/24
   leftaddresspool=2001:db8:0:3:1::/97,192.0.3.100/28
of course this is all still work-in-progress.

Andrew


On Tue, 1 Nov 2022 at 00:34, Mirsad Goran Todorovac <
mirsad.todorovac at alu.unizg.hr> wrote:

> Yes, this fixed this issue. :)
> Now the Win 10 client connected:
>
> Thanks.
>
> Now only to make IPv6-over-IPv6 connection work.
>
> However, restoring IPv4 VPN regression after upgrade to IPv6 will suffice.
> IPv6 VPN would be a nice
> thing to have, especially dual-stack, IMHO but any VPN is better than
> broken VPN (as a quantum difference).
>
> Kind regards,
> Mirsad
> On 11/1/2022 3:45 AM, Andrew Cagney wrote:
>
> Thanks.  Here's the only bit of the log that's needed:
>
> Nov  1 03:11:55.547595: | ***parse IKEv2 Configuration Payload Attribute:
> Nov  1 03:11:55.547626: |    Attribute Type: IKEv2_INTERNAL_IP4_ADDRESS (0x1)
> Nov  1 03:11:55.547653: |    length/value: 0 (00 00)
> Nov  1 03:11:55.547687: | connection both thinks it has, and really has a lease
> Nov  1 03:11:55.547754: | ***parse IKEv2 Configuration Payload Attribute:
> Nov  1 03:11:55.547780: |    Attribute Type: IKEv2_INTERNAL_IP4_DNS (0x3)
> Nov  1 03:11:55.547808: |    length/value: 0 (00 00)
> Nov  1 03:11:55.547835: | ignoring attribute IKEv2_INTERNAL_IP4_DNS length 0
> Nov  1 03:11:55.547859: | ***parse IKEv2 Configuration Payload Attribute:
> Nov  1 03:11:55.547885: |    Attribute Type: IKEv2_INTERNAL_IP4_NBNS (0x4)
> Nov  1 03:11:55.547913: |    length/value: 0 (00 00)
> Nov  1 03:11:55.547940: | ignoring attribute IKEv2_INTERNAL_IP4_NBNS length 0
> Nov  1 03:11:55.547982: "MYCONN-ikev2-cp"[2] 188.252.197.105 #4: ERROR: malformed CP attributeAttribute Type of IKEv2 Configuration Payload Attribute has an unknown value: 23456 (0x5ba0)
> Nov  1 03:11:55.548011: | should_send_delete: #4? no, IKEv2 SA in state STATE_V2_IKE_AUTH_CHILD_R0 is not established
>
> Try 2cc01a03a8c4bcfcb7c808f233756e96bdb6cfbe
>
>
> On Mon, 31 Oct 2022 at 22:16, Mirsad Goran Todorovac <
> mirsad.todorovac at alu.unizg.hr> wrote:
>
>> Thanks you, Sir!
>>
>> Actually, the connection was never established.
>>
>> The error mesg in Win 10 is:
>>
>> The "first bad commit" session log is here:
>> https://magrf.grf.hr/~mtodorov/tmp/ikev2-ipv4-20221101-01.log
>>
>> Kind regards,
>> Mirsad
>> On 10/31/2022 8:45 PM, Andrew Cagney wrote:
>>
>> Nice work.
>>
>> > I have noticed today (after having figured out how to connect IPv4-only
>> from Windows 10) that I lose connectivity
>> with github libreswan, while I still had it with libreswan-4.9 from
>> tarball.
>>
>> When you say "lose" connectivity, do you mean it never connects or dies
>> after a short while?
>>
>>
>> https://github.com/libreswan/libreswan/commit/bc47dcf87733484f5701b02212c3015a711ca1a9
>> added code to check the content of the CP payload so, presumably, microsoft
>> is sending something pluto didn't expect.
>>
>> Was there an error related to CP in the logs? And if possible try a test
>> run with debug=all enabled so that the CP payloads are captured and put
>> that in a bug.
>>
>>
>>
>>
>> On Mon, 31 Oct 2022 at 15:07, Mirsad Goran Todorovac <
>> mirsad.todorovac at alu.unizg.hr> wrote:
>>
>>> Hi all,
>>>
>>> I have noticed today (after having figured out how to connect IPv4-only
>>> from Windows 10) that I lose connectivity
>>> with github libreswan, while I still had it with libreswan-4.9 from
>>> tarball.
>>>
>>> I felt inspired and bisect gave this (at this commit I lost IPv4 Win 10
>>> connectivity):
>>>
>>> git bisect good e75c5ce30d7b6e5311dd05a4d0512a5f61add78f
>>> # bad: [4e1ceb32c64b8b077c41c538e39c5b6252b826b6] connections: pass
>>> struct connection_end into extract_end()
>>> git bisect bad 4e1ceb32c64b8b077c41c538e39c5b6252b826b6
>>> # bad: [bc47dcf87733484f5701b02212c3015a711ca1a9] ikev2: during IKE_AUTH
>>> parse IKEv2 CP requests
>>> git bisect bad bc47dcf87733484f5701b02212c3015a711ca1a9
>>> # good: [823443d6c796340128720a295c99f7eacae09d67] connections: (more)
>>> use ...->host->config rather than ...->config->host
>>> git bisect good 823443d6c796340128720a295c99f7eacae09d67
>>> # first bad commit: [bc47dcf87733484f5701b02212c3015a711ca1a9] ikev2:
>>> during IKE_AUTH parse IKEv2 CP requests
>>> root at magrf:~/libreswan#
>>>
>>> Windows specs:
>>>
>>>
>>> VPN server is on Debian 11 Bullseye and stock kernel, on a rather old
>>> development can.
>>>
>>> Hope this helps.
>>>
>>> Kind regards,
>>> Mirsad
>>>
>>> --
>>> Mirsad Todorovac
>>> Sistem inženjer
>>> Grafički fakultet | Akademija likovnih umjetnosti
>>> Sveučilište u Zagrebu
>>> --
>>> System engineer
>>> Faculty of Graphic Arts | Academy of Fine Arts
>>> University of Zagreb, Republic of Croatia
>>> tel. +385 (0)1 3711 451
>>> mob. +385 91 57 88 355
>>>
>>> --
>> Mirsad Todorovac
>> Sistem inženjer
>> Grafički fakultet | Akademija likovnih umjetnosti
>> Sveučilište u Zagrebu
>> --
>> System engineer
>> Faculty of Graphic Arts | Academy of Fine Arts
>> University of Zagreb, Republic of Croatia
>> tel. +385 (0)1 3711 451
>> mob. +385 91 57 88 355
>>
>> --
> Mirsad Todorovac
> Sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
> --
> System engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221218/ca22261e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DVUNqny2GLThMAqo.png
Type: image/png
Size: 16206 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221218/ca22261e/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nhVxWcIM3S9rH3Uo.png
Type: image/png
Size: 30019 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221218/ca22261e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 49fDqolg9vDJFfCd.png
Type: image/png
Size: 8132 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221218/ca22261e/attachment-0005.png>

More information about the Swan mailing list