[Swan] Possible to setup multiple connections, partly behind NAT?
Phil Nightowl
phil.nightowl at gmail.com
Tue Feb 13 16:37:28 EET 2024
Hello again!
Thanks for all information regarding x509 and appropriate matching
within DNs.
Meanwile, after adjusting the configs in order to remove opportunistic
encryption, I tried to take the next step and get the connection with
remotehost1.privlan to work.
As of now, I have failed. In more detail, this means that
- the connections on 192.168.1.0/24 work as they have before, although
without opportunistic encryption;
- attempts to connect from remotehost1.privlan to server.privlan fail.
To summarize briefly:
remotehost1.privlan has 10.0.1.138, sitting behind a public 203.0.113.55;
its config is
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
ikev2=insist
auto=start
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
rightca=%same
(plus a ssh-passthrough conn)
When attempting to connect, the logfile says:
==============================
systemd[1]: Starting ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec...
ipsec[3507]: nflog ipsec capture disabled
pluto[3521]: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
pluto[3521]: FIPS Mode: NO
pluto[3521]: NSS crypto library initialized
pluto[3521]: FIPS mode disabled for pluto daemon
pluto[3521]: FIPS HMAC integrity support [disabled]
pluto[3521]: libcap-ng support [enabled]
pluto[3521]: Linux audit support [enabled]
pluto[3521]: Linux audit activated
pluto[3521]: Starting Pluto (Libreswan Version 4.3 IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:3521
pluto[3521]: core dump dir: /run/pluto
pluto[3521]: secrets file: /etc/ipsec.secrets
pluto[3521]: leak-detective enabled
pluto[3521]: NSS crypto [enabled]
pluto[3521]: XAUTH PAM support [enabled]
pluto[3521]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
pluto[3521]: NAT-Traversal support [enabled]
pluto[3521]: Encryption algorithms:
<...>
pluto[3521]: testing HMAC_MD5:
pluto[3521]: RFC 2104: MD5_HMAC test 1
pluto[3521]: RFC 2104: MD5_HMAC test 2
systemd[1]: Started ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
pluto[3521]: RFC 2104: MD5_HMAC test 3
pluto[3521]: 2 CPU cores online
pluto[3521]: starting up 2 helper threads
pluto[3521]: started thread for helper 0
pluto[3521]: started thread for helper 1
pluto[3521]: using Linux xfrm kernel support code on #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1~bpo11+1 (2023-10-08)
pluto[3521]: seccomp security for helper not supported
pluto[3521]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
pluto[3521]: seccomp security for helper not supported
pluto[3521]: selinux support is NOT enabled.
pluto[3521]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
pluto[3521]: watchdog: sending probes every 100 secs
pluto[3521]: seccomp security not supported
pluto[3521]: "headq": loaded private key matching left certificate 'remotehost1'
pluto[3521]: "headq": added IKEv2 connection
pluto[3521]: "headq-ssh-pass": failed to add connection: shunt connection cannot have authentication method other then authby=never
pluto[3521]: listening for IKE messages
pluto[3521]: Kernel supports NIC esp-hw-offload
pluto[3521]: adding UDP interface enp2s0 10.0.1.138:500
pluto[3521]: adding UDP interface enp2s0 10.0.1.138:4500
pluto[3521]: adding UDP interface lo 127.0.0.1:500
pluto[3521]: adding UDP interface lo 127.0.0.1:4500
pluto[3521]: forgetting secrets
pluto[3521]: loading secrets from "/etc/ipsec.secrets"
pluto[3521]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[3521]: "headq" #1: initiating IKEv2 connection
pluto[3521]: "headq": local IKE proposals (IKE SA initiator selecting KE):
pluto[3521]: "headq": 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq": 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq": 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq": 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq" #1: sent IKE_SA_INIT request
pluto[3521]: "headq" #1: reloaded private key matching left certificate 'remotehost1'
pluto[3521]: "headq": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
pluto[3521]: "headq": 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED
pluto[3521]: "headq": 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED
pluto[3521]: "headq": 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
pluto[3521]: "headq": 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
pluto[3521]: "headq" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 0.5 seconds for response
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 1 seconds for response
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 2 seconds for response
pluto[3521]: "headq" #2: dropping unexpected IKE_AUTH message containing TS_UNACCEPTABLE notification; message payloads: SKF; encrypted payloads: IDr,CERT,AUTH,N; unexpected payloads: IDr,CERT,AUTH
pluto[3521]: "headq" #2: encountered fatal error in state STATE_PARENT_I2
pluto[3521]: "headq" #2: deleting state (STATE_PARENT_I2) aged 2.45823s and NOT sending notification
systemd[1]: Stopping ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec...
pluto[3521]: shutting down
pluto[3521]: "headq" #1: deleting state (STATE_PARENT_I2) aged 26.561805s and NOT sending notification
whack[3580]: 002 shutting down
pluto[3521]: forgetting secrets
pluto[3521]: shutting down interface lo 127.0.0.1:4500
pluto[3521]: shutting down interface lo 127.0.0.1:500
pluto[3521]: shutting down interface enp2s0 10.0.1.138:4500
pluto[3521]: shutting down interface enp2s0 10.0.1.138:500
pluto[3521]: leak detective found no leaks
systemd[1]: ipsec.service: Deactivated successfully.
systemd[1]: Stopped ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
systemd[1]: ipsec.service: Consumed 1.591s CPU time.
==============================
Here´s the responder side:
server.privlan has 192.168.1.253, sitting behind 198.51.100.33, and a config
of
conn privlan
left=%defaultroute
right=%any
auto=ondemand
authby=rsasig
ikev2=insist
leftid=%fromcert
rightid=%fromcert
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server
leftsendcert=always
rightsendcert=always
rightca=%same
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
conn remotesite
left=%defaultroute
right=203.0.113.55
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
auto=add
ikev2=yes
authby=rsasig
leftid=%fromcert
rightid=%fromcert
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
rekey=no
(plus the usual ssh-passthrough)
On this end, the connection attempt yields:
==============================
systemd[1]: Starting ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec...
ipsec[22707]: nflog ipsec capture disabled
pluto[22719]: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
pluto[22719]: FIPS Mode: NO
pluto[22719]: NSS crypto library initialized
pluto[22719]: FIPS mode disabled for pluto daemon
pluto[22719]: FIPS HMAC integrity support [disabled]
pluto[22719]: libcap-ng support [enabled]
pluto[22719]: Linux audit support [enabled]
pluto[22719]: Linux audit activated
pluto[22719]: Starting Pluto (Libreswan Version 4.10 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:22719
pluto[22719]: core dump dir: /run/pluto
pluto[22719]: secrets file: /etc/ipsec.secrets
pluto[22719]: leak-detective enabled
pluto[22719]: NSS crypto [enabled]
pluto[22719]: XAUTH PAM support [enabled]
pluto[22719]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
pluto[22719]: NAT-Traversal support [enabled]
pluto[22719]: Encryption algorithms:
pluto[22719]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
<...>
pluto[22719]: testing HMAC_SHA1:
pluto[22719]: CAVP: IKEv2 key derivation with HMAC-SHA1
systemd[1]: Started ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
pluto[22719]: 2 CPU cores online
pluto[22719]: starting up 2 helper threads
pluto[22719]: started thread for helper 0
pluto[22719]: started thread for helper 1
pluto[22719]: using Linux xfrm kernel support code on #1 SMP Debian 6.5.10-1~bpo12+1 (2023-11-23)
pluto[22719]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes
pluto[22719]: selinux support is NOT enabled.
pluto[22719]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
pluto[22719]: watchdog: sending probes every 100 secs
pluto[22719]: helper(2) seccomp security for helper not supported
pluto[22719]: helper(1) seccomp security for helper not supported
pluto[22719]: seccomp security not supported
pluto[22719]: "privlan-ssh": added passthrough connection
pluto[22719]: "privlan": IKE SA proposals (connection add):
pluto[22719]: "privlan": 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan": 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan": 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan": 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan": Child SA proposals (connection add):
pluto[22719]: "privlan": 1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "privlan": 2:ESP=AES_GCM_C_128-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "privlan": 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "privlan": 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "privlan": loaded private key matching left certificate 'server'
pluto[22719]: "privlan": added IKEv2 connection
pluto[22719]: "remotesite": IKE SA proposals (connection add):
pluto[22719]: "remotesite": 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite": 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite": 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite": 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite": Child SA proposals (connection add):
pluto[22719]: "remotesite": 1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite": 2:ESP=AES_GCM_C_128-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite": 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite": 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite": added IKEv2 connection
pluto[22719]: "remotesite-ssh": added passthrough connection
pluto[22719]: listening for IKE messages
pluto[22719]: Kernel supports NIC esp-hw-offload
pluto[22719]: adding UDP interface eth2 192.168.1.254:500
pluto[22719]: adding UDP interface eth2 192.168.1.254:4500
pluto[22719]: adding UDP interface lo 127.0.0.1:500
pluto[22719]: adding UDP interface lo 127.0.0.1:4500
pluto[22719]: forgetting secrets
pluto[22719]: loading secrets from "/etc/ipsec.secrets"
pluto[22719]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[22719]: "privlan": cannot route template policy of IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP
pluto[22719]: EXPECTATION FAILED: peer_client->ipproto == transport_proto->ipproto (bare_shunt_ptr() +1395 /programs/pluto/kernel.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto (raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto (raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: "remotesite" #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
pluto[22719]: "remotesite" #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
pluto[22719]: "remotesite" #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,SA,TSi,TSr}
pluto[22719]: "remotesite" #1: reloaded private key matching left certificate 'server'
pluto[22719]: "remotesite" #1: switched to "privlan"[1] 203.0.113.55
pluto[22719]: "privlan"[1] 203.0.113.55 #1: responder established IKE SA; authenticated peer '8192-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'C=XX, O=MyOrg, CN=remotehost1.privlan' issued by CA 'CN=MyOrg CA'
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
systemd[1]: Stopping ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec...
whack[22761]: 002 shutting down
pluto[22719]: shutting down
pluto[22719]: Pluto is shutting down
pluto[22719]: "privlan"[1] 203.0.113.55: deleting connection instance with peer 203.0.113.55 {isakmp=#1/ipsec=#0}
pluto[22719]: "privlan"[1] 203.0.113.55 #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 183.302839s and sending notification
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto (raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto (raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: "remotesite-ssh": kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard) (in) encountered unexpected policy
pluto[22719]: "privlan-ssh": kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard) (in) encountered unexpected policy
pluto[22719]: forgetting secrets
pluto[22719]: shutting down interface lo 127.0.0.1:4500
pluto[22719]: shutting down interface lo 127.0.0.1:500
pluto[22719]: shutting down interface eth2 192.168.1.254:4500
pluto[22719]: shutting down interface eth2 192.168.1.254:500
pluto[22719]: leak detective found no leaks
systemd[1]: ipsec.service: Deactivated successfully.
systemd[1]: Stopped ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
systemd[1]: ipsec.service: Consumed 3.557s CPU time.
==============================
Any ideas about what to adjust and how? To me, it appears that the point
of failure is currently on the responders side: pluto starts receiving
ike messages from remotehost1.privlan and selects the conn "remotesite"
(which is correct), but shortly thereafter switches to the conn
"privlan". Unfortunately, I have no idea why it does that and how to
make it to stick to the "remotesite" conn that it had selected at the
beginning.
Many thanks,
Phil
More information about the Swan
mailing list