[Swan] Connect fails with STATE_V2_PARENT_I1 retransmission

[Alex]

Hi,

I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to
build a VPN between them. It was working fine for some days, but I believe
I changed something on one of the servers, not related to libreswan, that
caused it to stop working. It appears they're not communicating, like a
routing problem or protocol issue. I really have no idea how to
troubleshoot this.

The server where I believe the problem is also has another libreswan VPN
that also stopped working at the same time.

Here's the config info I think could help troubleshooting this from the
host with the problem.

# ipsec status whack --showstates
000 #43: "mail03-arcade":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request);
RETRANSMIT in 4s; idle;
000 #43: pending CHILD SA for "mail03-arcade"
000 #44: "mail03-polaris":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT
request); RETRANSMIT in 4s; idle;
000 #44: pending CHILD SA for "mail03-polaris"

Jun  4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
{cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
Jun  4 11:49:49.468301: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response
Jun  4 11:49:49.968929: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response

Here's also a pastebin for "ipsec status" on the server that I believe has
the problem:
https://pastebin.com/sezgcCGK

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         68.195.111.41   0.0.0.0         UG    0      0        0
enp3s0
68.195.111.40   0.0.0.0         255.255.255.248 U     0      0        0
enp3s0
192.168.1.0     68.195.111.42   255.255.255.0   UG    0      0        0
enp3s0

# ip a l enp3s0
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
    link/ether 98:b7:85:00:90:12 brd ff:ff:ff:ff:ff:ff
    inet 68.195.111.45/29 brd 68.195.111.47 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 ::9ab7:85ff:fe00:9012/64 scope global dynamic mngtmpaddr
       valid_lft 3598sec preferred_lft 3598sec
    inet6 fe80::9ab7:85ff:fe00:9012/64 scope link
       valid_lft forever preferred_lft forever

# cat /etc/ipsec.conf|grep -Ev '#|^$'
config setup
        logfile=/var/log/pluto.log
        plutodebug="base"
        protostack=netkey
include /etc/ipsec.d/*.conf

conn mail03-polaris
        ikev2=insist
        authby=rsasig
        auto=start
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        leftid=@mail03-polaris
        left=mail03.example.com

leftrsasigkey=0sAwEAAc6MjfCgIevnKOqbiEa4Xtc3dIliJHwMq3UtJ4tnB1EVylAz+6XHWuC9K15re6vunBi45jqoI0zKQioLL9bMfvlLUHQFVL03EH1trAsmXc8YGN
...
        rightid=@polaris-mail03
        right=polaris.example.com

rightrsasigkey=0sAwEAAa9XC9vHpR61Gpu6AL8aRLFMztYeFOHzXXjnrfDuictzqJXn6zyjZvleg9oXuX6zOZFLz6oRoobNa5T+aTvAPH7DeJk2Jp4t+PZTbQB7krrdY...

How do I enable a reasonable amount of logging? Even plutodebug="base" is
entirely too detailed for me to identify any useful info.

I'm using iptables and have rules that allow unimpeded traffic to and from
each host.

Thank you very much. I've spent hours trying to figure this out, so really
appreciate your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230604/202b5c9b/attachment.htm>