[Swan] Connect fails with STATE_V2_PARENT_I1 retransmission
Alex
mysqlstudent at gmail.com
Sun Jun 4 18:55:26 EEST 2023
Hi,
I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to
build a VPN between them. It was working fine for some days, but I believe
I changed something on one of the servers, not related to libreswan, that
caused it to stop working. It appears they're not communicating, like a
routing problem or protocol issue. I really have no idea how to
troubleshoot this.
The server where I believe the problem is also has another libreswan VPN
that also stopped working at the same time.
Here's the config info I think could help troubleshooting this from the
host with the problem.
# ipsec status whack --showstates
000 #43: "mail03-arcade":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request);
RETRANSMIT in 4s; idle;
000 #43: pending CHILD SA for "mail03-arcade"
000 #44: "mail03-polaris":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT
request); RETRANSMIT in 4s; idle;
000 #44: pending CHILD SA for "mail03-polaris"
Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
{cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response
Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response
Here's also a pastebin for "ipsec status" on the server that I believe has
the problem:
https://pastebin.com/sezgcCGK
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 68.195.111.41 0.0.0.0 UG 0 0 0
enp3s0
68.195.111.40 0.0.0.0 255.255.255.248 U 0 0 0
enp3s0
192.168.1.0 68.195.111.42 255.255.255.0 UG 0 0 0
enp3s0
# ip a l enp3s0
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
link/ether 98:b7:85:00:90:12 brd ff:ff:ff:ff:ff:ff
inet 68.195.111.45/29 brd 68.195.111.47 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 ::9ab7:85ff:fe00:9012/64 scope global dynamic mngtmpaddr
valid_lft 3598sec preferred_lft 3598sec
inet6 fe80::9ab7:85ff:fe00:9012/64 scope link
valid_lft forever preferred_lft forever
# cat /etc/ipsec.conf|grep -Ev '#|^$'
config setup
logfile=/var/log/pluto.log
plutodebug="base"
protostack=netkey
include /etc/ipsec.d/*.conf
conn mail03-polaris
ikev2=insist
authby=rsasig
auto=start
dpddelay=10
dpdtimeout=90
dpdaction=clear
leftid=@mail03-polaris
left=mail03.example.com
leftrsasigkey=0sAwEAAc6MjfCgIevnKOqbiEa4Xtc3dIliJHwMq3UtJ4tnB1EVylAz+6XHWuC9K15re6vunBi45jqoI0zKQioLL9bMfvlLUHQFVL03EH1trAsmXc8YGN
...
rightid=@polaris-mail03
right=polaris.example.com
rightrsasigkey=0sAwEAAa9XC9vHpR61Gpu6AL8aRLFMztYeFOHzXXjnrfDuictzqJXn6zyjZvleg9oXuX6zOZFLz6oRoobNa5T+aTvAPH7DeJk2Jp4t+PZTbQB7krrdY...
How do I enable a reasonable amount of logging? Even plutodebug="base" is
entirely too detailed for me to identify any useful info.
I'm using iptables and have rules that allow unimpeded traffic to and from
each host.
Thank you very much. I've spent hours trying to figure this out, so really
appreciate your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230604/202b5c9b/attachment.htm>
More information about the Swan
mailing list