<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="DejaVu Serif">Hi,</font></p>
<p>after discussing on irc, thanks to blieve and LetoTo:</p>
<p>3:50:13 PM - bleve: […] bad combination of glibc and kernel
headers.<br>
3:51:01 PM - bleve:
<a class="moz-txt-link-freetext" href="https://libreswan.org/wiki/3.21_on_Debian_Wheezy">https://libreswan.org/wiki/3.21_on_Debian_Wheezy</a><br>
3:51:20 PM - bleve:
<a class="moz-txt-link-freetext" href="https://libreswan.org/wiki/3.21_on_Debian_Wheezy#Workaround_:_enable_header_files_workaround">https://libreswan.org/wiki/3.21_on_Debian_Wheezy#Workaround_:_enable_header_files_workaround</a></p>
<p>So to compile in debian jessie in my case i just did:</p>
<p>cd libreswan<br>
</p>
<p>echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local<br>
</p>
<p>make programs</p>
<p>make install</p>
<p>...<br>
</p>
<p><br>
</p>
<p>Master branch works if i set "main mode" instead of "aggresive
mode" in shrew client. <br>
</p>
<p>forcing 'aggressive mode' in shrew it looks to be a bug on shrew
implementation from the log line:</p>
<p>xauth-aggr"[1] 192.168.1.138 #1: length of ISAKMP Hash Payload is
larger than can fit<br>
</p>
<p><br>
</p>
<p>Full log can be checked in: <a class="moz-txt-link-freetext" href="https://pastebin.com/4cNSuHAh">https://pastebin.com/4cNSuHAh</a><br>
</p>
<p><br>
</p>
<p>In version 3.25 shrew can be use by setting "main mode"..</p>
<br>
<div class="moz-cite-prefix">On 06/27/2018 01:23 PM, antonio wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0065b322-a7cd-6c76-514d-25bea2f8ffec@wirelessmundi.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p><font face="DejaVu Serif">Hi Paul,<br>
</font></p>
<p><font face="DejaVu Serif">I try directly git master and also
version 3.24 (git checkout v3.24) but i can't compile, it
gives me the error:</font></p>
<p><font face="DejaVu Serif">In file included from
/usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,<br>
from
/usr/src/libreswan/programs/pluto/kernel_netlink.c:56:<br>
/usr/include/netinet/in.h:99:5: error: expected identifier
before numeric constant<br>
IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */<br>
</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">More in: <br>
</font></p>
<p><font face="DejaVu Serif"><a class="moz-txt-link-freetext"
href="https://pastebin.com/8B7zKDSE" moz-do-not-send="true">https://pastebin.com/8B7zKDSE</a><br>
</font></p>
<p><font face="DejaVu Serif">I'm trying to compile it on debian
jessie.</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">As for the configuration of shrew i
use most of the default values, i only set:<br>
</font></p>
<p><font face="DejaVu Serif">- general -> remote hostname<br>
</font></p>
<p><font face="DejaVu Serif">- authentication -> authentitacion
method: mutual psk+xauth</font></p>
<p><font face="DejaVu Serif">- </font><font face="DejaVu Serif"><font
face="DejaVu Serif">authentication -> credentials -> </font>pre
shared key<br>
</font></p>
<p><font face="DejaVu Serif">I've trying to force phase 1 and
phase 2 different parameters combination to make it work
without success. <br>
</font></p>
<br>
<br>
I did a git bisect between version 3.20 and 3.21, result:<br>
<br>
5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit<br>
commit 5bd36a6ff9420652a563a30662be8b550ccf04d2<br>
Author: Paul Wouters <a class="moz-txt-link-rfc2396E"
href="mailto:pwouters@redhat.com" moz-do-not-send="true"><pwouters@redhat.com></a><br>
Date: Fri May 19 15:54:54 2017 -0400<br>
<br>
IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ
payloads<br>
<br>
- Fixup CERT / CERTREQ handling<br>
- Don't give "weak warning" for aggrissive mode with RSA (only
for PSK)<br>
- Cleanups (eg use c instead of st->st_connection)<br>
<br>
:040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da
03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M programs<br>
<br>
<br>
<br>
To make sure on every step i did: <br>
<br>
make clean; make programs; make install; systemctl restart ipsec<br>
<br>
<br>
My tunnel configuration:<br>
conn xauth-aggr<br>
aggrmode=yes<br>
also=xauth<br>
<br>
conn xauth <br>
pfs=no<br>
type=tunnel<br>
auto=add<br>
phase2=esp<br>
sha2-truncbug=yes<br>
authby=secret<br>
keyingtries=3<br>
ikelifetime=8h<br>
salifetime=1h<br>
left=192.168.1.137<br>
leftsubnet=0.0.0.0/0<br>
leftid=192.168.1.137<br>
right=%any<br>
rightid=%any<br>
rightaddresspool=192.168.20.2-192.168.20.10<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
leftxauthserver=yes<br>
rightxauthclient=yes<br>
leftmodecfgserver=yes<br>
rightmodecfgclient=yes<br>
modecfgpull=yes<br>
ike-frag=yes<br>
#xauthby=pam<br>
xauthby=alwaysok<br>
<br>
<br>
Secrets:<br>
192.168.1.137 : PSK "1234"<br>
<br>
<br>
<div class="moz-cite-prefix">On 06/08/2018 08:03 PM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1806081400320.25476@bofh.nohats.ca">On
Fri, 8 Jun 2018, antonio wrote: <br>
<br>
<blockquote type="cite">cannot connect with shrew soft vpnclient
to libreswan 3.24 (last version that worked was in version
3.20) with psk+xauth: <br>
</blockquote>
<br>
(this was 3.23 as explained) <br>
<br>
<blockquote type="cite">Jun 08 15:27:46 sol pluto[18056]:
"tunnel8-aggr"[1] 192.168.10.170 #3: STATE_AGGR_R1: sent AR1,
expecting AI2 <br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: Peer ID is ID_IPV4_ADDR: '192.168.10.170' <br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: received Hash Payload does not match
computed value <br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: sending encrypted notification
INVALID_HASH_INFORMATION to <br>
192.168.10.170:33388 <br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: next payload type of ISAKMP Hash Payload
has an unknown <br>
value: 218 (0xda) <br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: malformed payload in packet <br>
</blockquote>
<br>
<blockquote type="cite">The log when connecting with version
3.20: <br>
</blockquote>
<br>
<blockquote type="cite">Jun 08 15:24:34 sol pluto[12290]:
"tunnel8-aggr"[2] 192.168.10.170 #3: STATE_AGGR_R1: sent AR1,
expecting AI2 <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: transition from state STATE_AGGR_R1 to
state STATE_AGGR_R2 <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: new NAT mapping for #3, was
192.168.10.170:33388, now <br>
192.168.10.170:40182 <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: STATE_AGGR_R2: ISAKMP SA established
{auth=PRESHARED_KEY <br>
cipher=aes_256 integ=md5 group=MODP1024} <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: ignoring informational payload
IPSEC_INITIAL_CONTACT, <br>
msgid=00000000, length=28 <br>
Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification
Payload <br>
Jun 08 15:24:34 sol pluto[12290]: | 00 00 00 1c 00 00 00
01 01 10 60 02 <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: received and ignored informational message
<br>
Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH
#3 STATE_AGGR_R2 <br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: XAUTH: Sending Username/Password request
(XAUTH_R0) <br>
</blockquote>
<br>
Would you be able to test 3.21 / 3.22 or maybe do a git bisect
to help? <br>
Or alternatively, if you can give me a shrew client config and
the <br>
libreswan server cofig, then I can try and run a git bisect to
find <br>
the issue. <br>
<br>
Although perhaps first you can try and use a 3.24rcX candicate
from <br>
download.libreswan.org/development/ and see if the problem got
fixed <br>
already? <br>
<br>
Paul <br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Saludos / Regards / Cumprimentos
Anónio Silva</pre>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Saludos / Regards / Cumprimentos
Anónio Silva</pre>
</body>
</html>