On Wed, 3 Apr 2024 at 18:22, Bán László via Swan
wrote:
>
> Hi Paul,
>
> there is an IKEv2 IPSec connection (the device on the other side is a
> Palo Alto), where one side has one (leftsubnet) and ~12 subnets
> (rightsubnets) on the other side.
> When expanding righsubnets, the following was logged by libreswan and
> died. The current libreswan version is 4.3.
> My question is, what could have caused this? maybe this is already known?
The create-child code was overhauled around 4.5. I would recommend
updating to the latest 4.x or 5.0rc.
> pluto[19191]: "test/0x11" #36161: negotiated connection
> [10.10.10.0-10.10.10.255:0-65535 0] -> [10.20.0.0-10.20.255.255:0-65535 0]
> pluto[19191]: "test/0x11" #36161: IPsec SA established tunnel mode
> {ESP=>0xfc554696 <0x31268fc3 xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP2048
> NATOA=none NATD=none DPD=active}
> pluto[19191]: "test/0x13" #36163: sent CREATE_CHILD_SA request for new
> IPsec SA
> pluto[19191]: "test/0x13" #36163: state transition 'Process
> CREATE_CHILD_SA IPsec SA Response' failed with v2N_TS_UNACCEPTABLE
> pluto[19191]: "test/0x13" #36163: STATE_V2_NEW_CHILD_I1: retransmission;
> will wait 0.5 seconds for response
> pluto[19191]: ABORT: ASSERTION FAILED: *chosen_proposal == NULL (in
> ikev2_process_sa_payload() at ikev2_spdb_struct.c:1142)
>
>
>
> Thank you for your help!
> laca
>
>
>
> --
> Bán László
> Andrews IT Engineering Kft.
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
