<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="DejaVu Serif">Hi Paul,<br>
</font></p>
<p><font face="DejaVu Serif">I try directly git master and also
version 3.24 (git checkout v3.24) but i can't compile, it gives
me the error:</font></p>
<p><font face="DejaVu Serif">In file included from
/usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,<br>
from
/usr/src/libreswan/programs/pluto/kernel_netlink.c:56:<br>
/usr/include/netinet/in.h:99:5: error: expected identifier
before numeric constant<br>
IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */<br>
</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">More in: <br>
</font></p>
<p><font face="DejaVu Serif"><a class="moz-txt-link-freetext" href="https://pastebin.com/8B7zKDSE">https://pastebin.com/8B7zKDSE</a><br>
</font></p>
<p><font face="DejaVu Serif">I'm trying to compile it on debian
jessie.</font></p>
<p><font face="DejaVu Serif"><br>
</font></p>
<p><font face="DejaVu Serif">As for the configuration of shrew i use
most of the default values, i only set:<br>
</font></p>
<p><font face="DejaVu Serif">- general -> remote hostname<br>
</font></p>
<p><font face="DejaVu Serif">- authentication -> authentitacion
method: mutual psk+xauth</font></p>
<p><font face="DejaVu Serif">- </font><font face="DejaVu Serif"><font
face="DejaVu Serif">authentication -> credentials -> </font>pre
shared key<br>
</font></p>
<p><font face="DejaVu Serif">I've trying to force phase 1 and phase
2 different parameters combination to make it work without
success. <br>
</font></p>
<br>
<br>
I did a git bisect between version 3.20 and 3.21, result:<br>
<br>
5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit<br>
commit 5bd36a6ff9420652a563a30662be8b550ccf04d2<br>
Author: Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:pwouters@redhat.com"><pwouters@redhat.com></a><br>
Date: Fri May 19 15:54:54 2017 -0400<br>
<br>
IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads<br>
<br>
- Fixup CERT / CERTREQ handling<br>
- Don't give "weak warning" for aggrissive mode with RSA (only
for PSK)<br>
- Cleanups (eg use c instead of st->st_connection)<br>
<br>
:040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da
03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M programs<br>
<br>
<br>
<br>
To make sure on every step i did: <br>
<br>
make clean; make programs; make install; systemctl restart ipsec<br>
<br>
<br>
My tunnel configuration:<br>
conn xauth-aggr<br>
aggrmode=yes<br>
also=xauth<br>
<br>
conn xauth <br>
pfs=no<br>
type=tunnel<br>
auto=add<br>
phase2=esp<br>
sha2-truncbug=yes<br>
authby=secret<br>
keyingtries=3<br>
ikelifetime=8h<br>
salifetime=1h<br>
left=192.168.1.137<br>
leftsubnet=0.0.0.0/0<br>
leftid=192.168.1.137<br>
right=%any<br>
rightid=%any<br>
rightaddresspool=192.168.20.2-192.168.20.10<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
leftxauthserver=yes<br>
rightxauthclient=yes<br>
leftmodecfgserver=yes<br>
rightmodecfgclient=yes<br>
modecfgpull=yes<br>
ike-frag=yes<br>
#xauthby=pam<br>
xauthby=alwaysok<br>
<br>
<br>
Secrets:<br>
192.168.1.137 : PSK "1234"<br>
<br>
<br>
<div class="moz-cite-prefix">On 06/08/2018 08:03 PM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1806081400320.25476@bofh.nohats.ca">On
Fri, 8 Jun 2018, antonio wrote:
<br>
<br>
<blockquote type="cite">cannot connect with shrew soft vpnclient
to libreswan 3.24 (last version that worked was in version
3.20) with psk+xauth:
<br>
</blockquote>
<br>
(this was 3.23 as explained)
<br>
<br>
<blockquote type="cite">Jun 08 15:27:46 sol pluto[18056]:
"tunnel8-aggr"[1] 192.168.10.170 #3: STATE_AGGR_R1: sent AR1,
expecting AI2
<br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: Peer ID is ID_IPV4_ADDR: '192.168.10.170'
<br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: received Hash Payload does not match computed
value
<br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: sending encrypted notification
INVALID_HASH_INFORMATION to
<br>
192.168.10.170:33388
<br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: next payload type of ISAKMP Hash Payload has
an unknown
<br>
value: 218 (0xda)
<br>
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1]
192.168.10.170 #3: malformed payload in packet
<br>
</blockquote>
<br>
<blockquote type="cite">The log when connecting with version 3.20:
<br>
</blockquote>
<br>
<blockquote type="cite">Jun 08 15:24:34 sol pluto[12290]:
"tunnel8-aggr"[2] 192.168.10.170 #3: STATE_AGGR_R1: sent AR1,
expecting AI2
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: transition from state STATE_AGGR_R1 to state
STATE_AGGR_R2
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: new NAT mapping for #3, was
192.168.10.170:33388, now
<br>
192.168.10.170:40182
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: STATE_AGGR_R2: ISAKMP SA established
{auth=PRESHARED_KEY
<br>
cipher=aes_256 integ=md5 group=MODP1024}
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: ignoring informational payload
IPSEC_INITIAL_CONTACT,
<br>
msgid=00000000, length=28
<br>
Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
<br>
Jun 08 15:24:34 sol pluto[12290]: | 00 00 00 1c 00 00 00 01
01 10 60 02
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: received and ignored informational message
<br>
Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3
STATE_AGGR_R2
<br>
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2]
192.168.10.170 #3: XAUTH: Sending Username/Password request
(XAUTH_R0)
<br>
</blockquote>
<br>
Would you be able to test 3.21 / 3.22 or maybe do a git bisect to
help?
<br>
Or alternatively, if you can give me a shrew client config and the
<br>
libreswan server cofig, then I can try and run a git bisect to
find
<br>
the issue.
<br>
<br>
Although perhaps first you can try and use a 3.24rcX candicate
from
<br>
download.libreswan.org/development/ and see if the problem got
fixed
<br>
already?
<br>
<br>
Paul
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Saludos / Regards / Cumprimentos
Anónio Silva</pre>
</body>
</html>