[Swan] connections collisions received duplicate IKE_SA_INIT
Ian Willis
ian at checksum.net.au
Thu Oct 12 10:04:14 EEST 2023
Hi All
Using the default libreswan on rocky 8.8
libreswan-4.9-3.el8_8.x86_64
I have server with a public IP which about a dozen "clients" connect
to.
However occasionally a client can't connect.
It appears that the server mistakes the connection for an existing
one.
It also happens when the client which can't connect is behind CG-NAT,
not sure about other times.
Each has a server and client configuration something like the below,
with the server having multiple configurations each with the same
rsakey. (If the config is dumb, let me know)
The server configuration is something like this
###############
conn server1-client1
leftid=server1.name.com
left=a.b.c.d
leftsubnet=0.0.0.0/0
leftmodecfgserver=yes
leftxauthserver=yes
# rsakey AwEAAZttF
leftrsasigkey=0sAwEAAZttF......w==
rightid=client1.name.com
#rightsubnet=0.0.0.0/0
right=%any
rightaddresspool=10.205.205.16-10.205.205.17
modecfgdns="10.19.96.7 10.19.96.4"
# rsakey AwEAAcf9i
rightrsasigkey=0sAwEAAcf9i.......MSO0=
authby=rsasig
ikev2=insist
auto=add
dpddelay=30
dpdtimeout=120
dpdaction=clear
###############
The client configuration is something like this
###############
conn server1-client1
leftid=server1.name.com
left=a.b.c.d
leftsubnet=0.0.0.0/0
# rsakey AwEAAZttF
leftrsasigkey=0sAwEAAZttF......mw==
rightid=client1.name.com
right=%defaultroute
rightmodecfgclient=yes
rightsubnet=0.0.0.0/0
rightxauthclient=yes
# rsakey AwEAAcf9i
rightrsasigkey=0sAwEAAcf9i......SO0=
type=tunnel
authby=rsasig
auto=start
ikev2=insist
mobike=yes
rekey=yes
###############
Oct 12 17:09:48 server1 pluto[300219]: "server1-client5"[31]
65.181.13.24 #242: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256
chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256
;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[
first-match]
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP
_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8
192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_S
HA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH
=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256
;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=ECP
_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8
192
Oct 12 17:09:48 server1 pluto[300219]: "server1-client1"[31]
65.181.13.24 #242: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=DH19}
Oct 12 17:09:49 server1 pluto[300219]: "server1-client1"[31]
65.181.13.24 #242: received duplicate IKE_SA_INIT message request
(Message ID 0); retransmitting response
Oct 12 17:09:49 server1 pluto[300219]: "server1-client1"[31]
65.181.13.24 #242: received duplicate IKE_SA_INIT message request
(Message ID 0); retransmitting response
Oct 12 17:09:50 server1 pluto[300219]: "server1-client1"[31]
65.181.13.24 #242: received duplicate IKE_SA_INIT message request
(Message ID 0); retransmitting response
Oct 12 17:09:52 server1 pluto[300219]: "server1-client1"[31]
65.181.13.24 #242: received duplicate IKE_SA_INIT message request
(Message ID 0); retransmitting response
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20231012/46b6e456/attachment.htm>
More information about the Swan
mailing list