Re: [Swan] Connect fails with STATE_V2_PARENT_I1 retransmission
Hi, On Sun, Jun 4, 2023 at 12:19 PM Alex wrote: > >> Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply >> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} >> Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate >> IKE_SA_INIT message request (Message ID 0); retransmitting response >> Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate >> IKE_SA_INIT message request (Message ID 0); retransmitting response >> > > I realized I may not have made it clear that my report and all of the > information here is focused on the connection between mail03 and polaris. > > I thought it might also be helpful to have a bit of output from tcpdump on > the server with the problem. > > # tcpdump -n -i enp3s0 esp or udp port 500 or udp port 4500 or tcp port > 4500 > dropped privs to tcpdump > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 > bytes > 12:14:37.375402 IP 68.195.111.45.isakmp > 147.135.9.126.isakmp: isakmp: > parent_sa ikev2_init[I] > 12:14:37.391669 IP 147.135.9.126.isakmp > 68.195.111.45.isakmp: isakmp: > parent_sa ikev2_init[R] > > No esp traffic? I'm also not doing NAT-T so I suppose there wouldn't be > any port 4500. > I figured out it may be related to adding a new IP address on the same interface. Can I explicitly define the IP address to use? I started to see traffic going out on the new IP address but not coming back. I tried to open the firewall on the other side to accept traffic from the new IP, but it also didn't work (I didn't actually think it would). Ideas greatly appreciated > > Thanks, > Alex > > ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Connect fails with STATE_V2_PARENT_I1 retransmission
> > > Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply > {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} > Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate > IKE_SA_INIT message request (Message ID 0); retransmitting response > Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate > IKE_SA_INIT message request (Message ID 0); retransmitting response > I realized I may not have made it clear that my report and all of the information here is focused on the connection between mail03 and polaris. I thought it might also be helpful to have a bit of output from tcpdump on the server with the problem. # tcpdump -n -i enp3s0 esp or udp port 500 or udp port 4500 or tcp port 4500 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:14:37.375402 IP 68.195.111.45.isakmp > 147.135.9.126.isakmp: isakmp: parent_sa ikev2_init[I] 12:14:37.391669 IP 147.135.9.126.isakmp > 68.195.111.45.isakmp: isakmp: parent_sa ikev2_init[R] No esp traffic? I'm also not doing NAT-T so I suppose there wouldn't be any port 4500. Thanks, Alex ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan] Connect fails with STATE_V2_PARENT_I1 retransmission
Hi, I'm using libreswan-4.11-1.fc37.x86_64 on two fedora37 hosts to try to build a VPN between them. It was working fine for some days, but I believe I changed something on one of the servers, not related to libreswan, that caused it to stop working. It appears they're not communicating, like a routing problem or protocol issue. I really have no idea how to troubleshoot this. The server where I believe the problem is also has another libreswan VPN that also stopped working at the same time. Here's the config info I think could help troubleshooting this from the host with the problem. # ipsec status whack --showstates 000 #43: "mail03-arcade":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 4s; idle; 000 #43: pending CHILD SA for "mail03-arcade" 000 #44: "mail03-polaris":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 4s; idle; 000 #44: pending CHILD SA for "mail03-polaris" Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response Here's also a pastebin for "ipsec status" on the server that I believe has the problem: https://pastebin.com/sezgcCGK # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 68.195.111.41 0.0.0.0 UG0 00 enp3s0 68.195.111.40 0.0.0.0 255.255.255.248 U 0 00 enp3s0 192.168.1.0 68.195.111.42 255.255.255.0 UG0 00 enp3s0 # ip a l enp3s0 2: enp3s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 98:b7:85:00:90:12 brd ff:ff:ff:ff:ff:ff inet 68.195.111.45/29 brd 68.195.111.47 scope global enp3s0 valid_lft forever preferred_lft forever inet6 ::9ab7:85ff:fe00:9012/64 scope global dynamic mngtmpaddr valid_lft 3598sec preferred_lft 3598sec inet6 fe80::9ab7:85ff:fe00:9012/64 scope link valid_lft forever preferred_lft forever # cat /etc/ipsec.conf|grep -Ev '#|^$' config setup logfile=/var/log/pluto.log plutodebug="base" protostack=netkey include /etc/ipsec.d/*.conf conn mail03-polaris ikev2=insist authby=rsasig auto=start dpddelay=10 dpdtimeout=90 dpdaction=clear leftid=@mail03-polaris left=mail03.example.com leftrsasigkey=0sAwEAAc6MjfCgIevnKOqbiEa4Xtc3dIliJHwMq3UtJ4tnB1EVylAz+6XHWuC9K15re6vunBi45jqoI0zKQioLL9bMfvlLUHQFVL03EH1trAsmXc8YGN ... rightid=@polaris-mail03 right=polaris.example.com rightrsasigkey=0sAwEAAa9XC9vHpR61Gpu6AL8aRLFMztYeFOHzXXjnrfDuictzqJXn6zyjZvleg9oXuX6zOZFLz6oRoobNa5T+aTvAPH7DeJk2Jp4t+PZTbQB7krrdY... How do I enable a reasonable amount of logging? Even plutodebug="base" is entirely too detailed for me to identify any useful info. I'm using iptables and have rules that allow unimpeded traffic to and from each host. Thank you very much. I've spent hours trying to figure this out, so really appreciate your help. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan