Re: [Swan] Connect fails with STATE_V2_PARENT_I1 retransmission

2023-06-04 Thread Alex 
>
>
> Jun  4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
> Jun  4 11:49:49.468301: "mail03-polaris" #4: received duplicate
> IKE_SA_INIT message request (Message ID 0); retransmitting response
> Jun  4 11:49:49.968929: "mail03-polaris" #4: received duplicate
> IKE_SA_INIT message request (Message ID 0); retransmitting response
>

I realized I may not have made it clear that my report and all of the
information here is focused on the connection between mail03 and polaris.

I thought it might also be helpful to have a bit of output from tcpdump on
the server with the problem.

# tcpdump -n -i enp3s0 esp or udp port 500 or udp port 4500 or tcp port 4500
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
12:14:37.375402 IP 68.195.111.45.isakmp > 147.135.9.126.isakmp: isakmp:
parent_sa ikev2_init[I]
12:14:37.391669 IP 147.135.9.126.isakmp > 68.195.111.45.isakmp: isakmp:
parent_sa ikev2_init[R]

No esp traffic? I'm also not doing NAT-T so I suppose there wouldn't be any
port 4500.

Thanks,
Alex
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] Connect fails with STATE_V2_PARENT_I1 retransmission

2023-06-04 Thread Alex 
Hi,

I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to
build a VPN between them. It was working fine for some days, but I believe
I changed something on one of the servers, not related to libreswan, that
caused it to stop working. It appears they're not communicating, like a
routing problem or protocol issue. I really have no idea how to
troubleshoot this.

The server where I believe the problem is also has another libreswan VPN
that also stopped working at the same time.

Here's the config info I think could help troubleshooting this from the
host with the problem.

# ipsec status whack --showstates
000 #43: "mail03-arcade":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request);
RETRANSMIT in 4s; idle;
000 #43: pending CHILD SA for "mail03-arcade"
000 #44: "mail03-polaris":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT
request); RETRANSMIT in 4s; idle;
000 #44: pending CHILD SA for "mail03-polaris"

Jun  4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
{cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
Jun  4 11:49:49.468301: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response
Jun  4 11:49:49.968929: "mail03-polaris" #4: received duplicate IKE_SA_INIT
message request (Message ID 0); retransmitting response

Here's also a pastebin for "ipsec status" on the server that I believe has
the problem:
https://pastebin.com/sezgcCGK

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
0.0.0.0 68.195.111.41   0.0.0.0 UG0  00
enp3s0
68.195.111.40   0.0.0.0 255.255.255.248 U 0  00
enp3s0
192.168.1.0 68.195.111.42   255.255.255.0   UG0  00
enp3s0

# ip a l enp3s0
2: enp3s0:  mtu 1500 qdisc fq_codel state
UP group default qlen 1000
link/ether 98:b7:85:00:90:12 brd ff:ff:ff:ff:ff:ff
inet 68.195.111.45/29 brd 68.195.111.47 scope global enp3s0
   valid_lft forever preferred_lft forever
inet6 ::9ab7:85ff:fe00:9012/64 scope global dynamic mngtmpaddr
   valid_lft 3598sec preferred_lft 3598sec
inet6 fe80::9ab7:85ff:fe00:9012/64 scope link
   valid_lft forever preferred_lft forever

# cat /etc/ipsec.conf|grep -Ev '#|^$'
config setup
logfile=/var/log/pluto.log
plutodebug="base"
protostack=netkey
include /etc/ipsec.d/*.conf

conn mail03-polaris
ikev2=insist
authby=rsasig
auto=start
dpddelay=10
dpdtimeout=90
dpdaction=clear
leftid=@mail03-polaris
left=mail03.example.com

leftrsasigkey=0sAwEAAc6MjfCgIevnKOqbiEa4Xtc3dIliJHwMq3UtJ4tnB1EVylAz+6XHWuC9K15re6vunBi45jqoI0zKQioLL9bMfvlLUHQFVL03EH1trAsmXc8YGN
...
rightid=@polaris-mail03
right=polaris.example.com

rightrsasigkey=0sAwEAAa9XC9vHpR61Gpu6AL8aRLFMztYeFOHzXXjnrfDuictzqJXn6zyjZvleg9oXuX6zOZFLz6oRoobNa5T+aTvAPH7DeJk2Jp4t+PZTbQB7krrdY...

How do I enable a reasonable amount of logging? Even plutodebug="base" is
entirely too detailed for me to identify any useful info.

I'm using iptables and have rules that allow unimpeded traffic to and from
each host.

Thank you very much. I've spent hours trying to figure this out, so really
appreciate your help.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan