Re: [Swan-dev] XFRMi routing problems with some special cases
> ok, thanks, I will create some tests for the problematic cases and hopefully > some fixes. I'll push it once I've got a full test result. Long term, should: +#ifdef USE_XFRM_INTERFACE +if (c->xfrmi != NULL && c->xfrmi->if_id != 0) +if (!add_xfrm_interface(c, c->logger)) +return 0; +#endif which is sprinkled over the code base (I found 10 calls?), pushed into the routing / unrouting code proper? ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] XFRMi routing problems with some special cases
On Thu, 2 May 2024 at 05:02, Wolfgang Nothdurft via Swan-dev wrote: > > Hi, > > I am currently trying to sort out a few cases where routes and rules are > not handled correctly. Some internals (i.e., in theory, I'm just including this for completeness) Part of 5.0+'s overhaul was routing.[hc] and that snuck in the easter egg debug=routing, it should make debug logs less painful. Part of 5.1(unreleased) is to have the listen and orient code trigger routing and other changes. This means auto=route can be exactly replicated using <>. While 5.0 was better, it still had some subtle differences. I don't think they matter here and it should be possible to reproduce this problem without auto=route. Having tests rely on auto=route is a pain. With that in mind, the test network looks like https://libreswan.org/wiki/Test_Suite#Current_Network_Diagram I'm guessing this scenario just requires east and west? The structures involved are: - CONNECTION; this manages the kernel policy and routing; with templates an instance responsibility is split - CHILD_SA; this manages the kernel state; a connection has one established CHILD_SA - SPD; manages one selector-pair (subnet<->subnet); a connection has one spd per selector-pair combination > For example, with several tunnels to the same peer and auto=route on one > side, only one route is created, because route-client or route-host is > only called once. > Another Example is that the xfrmi route in the ipsec routing table 50 is > deleted prematurely, although another tunnel still needs it. > Also leftover routes can block a connection in some small side cases. The theory is that updown is run: - prepare once for each selector pair (aka spd) - route is run on an spd when a connection transitions from UNROUTED to any ROUTED state (kernel policy initially installed); - up is run when a connection establishes (kernel state installed) - down is run when Child SA (kernel state) is deleted - unroute is run when tearing out kernel policy (I'll ignore mobike) The code that tries to handle this is spd_owner(). One of its tasks is to look for identical SPDs attached to a connection that still require routing, when one is found it sets .bare_route. Emphasis on the word TRIES. > I solved all these cases more or less with "workarounds" in _updown.xfrm. > > For example, for deleting the table 50 route, my current approach is to > see if ip xfrm state contains multiple states to the same destination > and only delete the route at the last state. > > The question would be if it would make more sense for pluto to take over > the handling of the routing,as with interface-ip, since a reference > counter would also be required here, especially for deleting the routes, > or you just have to check whether the route in table 50 is still needed > by other tunnels to the same destination. In theory that happens now :-( First thing, I think, is to add some tests so we can understand the problem and see why spd_owner() is failing. It might be straight forward bug. > What do you think would be the more reasonable approach here? Sharing SPDs between connections and using them to exactly track kernel policy and routing might help with this quagmire, but I suspect it is more of a way to accelerate the existing logic. When a connection goes to unroute an SPD, it will still need to search through the list of other connections using that SPD and see if one still needs it - like spd_owner() does now. Linux also has a way to set the priority of kernel policy so that identical policies can be installed. That doesn't help with routing though. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d5c5aec69b3736ae3a237ebed6b9c76abfc7c7d0 Author: Andrew Cagney Date: Sun Apr 21 07:28:35 2024 -0400 ipsecconf: add separate enums for all auto= values ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan-dev] [Swan-commit] Changes to ref refs/heads/main
On Sat, 20 Apr 2024 at 19:40, Paul Wouters via Swan-dev wrote: > > On Sat, 20 Apr 2024, Andrew Cagney via Swan-commit wrote: > > >libipsecconf: rename internal enum AUTOSTART_ONDEMAND -> AUTOSTART_ROUTE > > This is wrong. The libipsecconf names match the _keywords_ used by auto= > and auto=route has been long obsoleted for auto=ondemand. And auto=ondemand makes no sense when the connection is never-negotiate. I'll define AUTOSTART_ROUTE, AUTOSTART_ONDEMAND, AUTOSTART_START, AUTOSTART_ADD so that pluto can see exactly what the config file contained. > >consistent with other code > > Internal code does not matter much. It is the mapping user option to > variable name that should be consistent in code. It does matter. The closer the alignment between the UI and the internals the easier it is to describe and understand a behaviour. And here all the internals consistently use route/unroute. For instance, routing an RT_UNROUTED connection transitions it to either RT_ROUTED_ONDEMAND or RT_ROUTED_NEVER_NEGOTIATE. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9cc44fe7732b2d4fcf40d6fbfe11bc744faafdbc Author: Andrew Cagney Date: Sat Apr 20 10:01:33 2024 -0400 building: trim #include "sparse_names.h" commit 6b72c39f973abf4842f5fccffc3ae3aaaeb165ba Author: Andrew Cagney Date: Sat Apr 20 09:59:36 2024 -0400 libipsecconf: rename internal enum AUTOSTART_ONDEMAND -> AUTOSTART_ROUTE consistent with other code ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 791d8c0fa83da5a5b8507b1291d937645d3378b9 Author: Andrew Cagney Date: Fri Apr 19 18:15:14 2024 -0400 enums: define struct sparse_names, wrap struct sparse_name make interface more like struct enum_names ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3b22dc51e0e6ec736f8e6abc012e5b65f4e7be51 Author: Andrew Cagney Date: Fri Apr 19 11:28:38 2024 -0400 documentation: update auto= commit f0df3e8dd58f840f00535892196d764caad2e43c Author: Andrew Cagney Date: Fri Apr 19 11:04:01 2024 -0400 libipsecconf: rename AUTOSTART_START -> AUTOSTART_UP commit 48bcbf471eac32386816e818f272520590ff51b0 Author: Andrew Cagney Date: Fri Apr 19 11:00:17 2024 -0400 libipsecconn: add AUTOSTART_UNSET, change autostart_names to sparse_name ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit bb9afd4abcc4d5d4d7996bf56accb2e36e355bb3 Author: Andrew Cagney Date: Thu Apr 18 09:42:35 2024 -0400 documentation: <> doesn't start libreswan ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a86c228ae46bd35a3698e446cc318b493cafdc4c Author: Andrew Cagney Date: Wed Apr 17 18:09:56 2024 -0400 testing: crossing-streams-11-eewww-ikev2-permanent is github #1684 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit fe11ce831fcf70d0066af1d3583229d7149e376f Author: Andrew Cagney Date: Wed Apr 17 10:30:44 2024 -0400 testing: expand testing/pluto/crossing-streams-11-* et.al. tests some seem to pass commit 47a0bf1d4f07211a5bd76ebeff168d17738da602 Author: Andrew Cagney Date: Wed Apr 17 10:12:39 2024 -0400 testing: in wait-for-pluto.sh, exit after printing usage ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e3bb785ed512723c5ba79e796e121bc4625a17c1 Author: Andrew Cagney Date: Tue Apr 16 15:21:59 2024 -0400 routing: let an initiating IKE SA claim the connection's .negotiating_ike_sa For instance: a connection's Child SA is deleted (triggering revival) simultaneous to the connectin's IKE SA not being viable. Revival will initiate a new IKE SA and take over the connection. commit 51113b11a897370dfbb21a8abde50a9cae39a899 Author: Andrew Cagney Date: Tue Apr 16 15:27:55 2024 -0400 testing: crossing-streams-03-ikev2-delete-child-vs-ike is good ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7bf6a696b3188b565ea03351201fb25d25fae7e8 Author: Andrew Cagney Date: Tue Apr 16 15:12:33 2024 -0400 documentation: update authby= - list all options - mention secret is on its own fix #1676 ikev1 authby=rsa,secret not supported but still documented ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8be28f330852d2966873c85e16153d89d855df0c Author: Andrew Cagney Date: Tue Apr 16 11:46:22 2024 -0400 testing: drop ikev2-crossing-streams-02 The description is: one connection comes up. One end restarts and sends Delete. The other end gets delete but revives. Which should be covered by: crossing-streams-03-ikev2-delete-child crossing-streams-03-ikev2-delete-child-vs-ike crossing-streams-03-ikev2-delete-ike crossing-streams-03-ikev2-delete-ike-vs-child which cross IKE and Child deletes in both directions and with revival ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 95af0ec2e06b958900dfe4ab9010a53e66545dd3 Author: Andrew Cagney Date: Tue Apr 16 11:37:39 2024 -0400 testing: rename ikev2-crossing-streams-03-iface to crossing-streams-22-ikev2-ipsec-interface ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 065b81fd24ebbbe9639ae6ed9810aa0c5a6f30af Author: Andrew Cagney Date: Tue Apr 16 11:26:26 2024 -0400 testing: drop ikev2-crossing-streams-01 should be covered by crossing-streams-11-wewe-ikev2-permanent crossing-streams-12-weew-ikev2-permanent crossing-streams-13-ewew-ikev2-permanent crossing-streams-14-ewwe-ikev2-permanent which permute the order that east/west cross their paths ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 741423e7701b5fa69ee8f85cf8553c2697eb70b5 Author: Andrew Cagney Date: Tue Apr 16 10:52:18 2024 -0400 testing kvm: fix handling empty comments in all.console.txt ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4fe26afea42eb2d6db91d346c3ab9c5b8b4ad8fd Author: Andrew Cagney Date: Mon Apr 15 22:38:33 2024 -0400 ikev2: when initiating an IKE SA delete, strip .viable_parent Stop a crossing Child SA delete trying to use the dying IKE SA as its parent. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 53ae36c1c8ad872350d861d52867947df88ce3b5 Author: Andrew Cagney Date: Mon Apr 15 19:23:37 2024 -0400 ikev2: merge delete initiator states now that deleting an IKE SA doesn't change transitions ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7904d6858d95b6f44cb36c73eb7a85fd31db30b3 Author: Andrew Cagney Date: Mon Apr 15 17:05:39 2024 -0400 testing: update crossing-streams-03-ikev2-delete-child-vs-ike ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b08874e134c3755ed68e6b245e675d879bbe920c Author: Andrew Cagney Date: Mon Apr 15 15:11:19 2024 -0400 testing: update crossing-streams-03-ikev2-delete-* tests The new crossing-streams-03-ikev2-delete-child-vs-ike still doesn't work. commit 39f976e61804193a8a807f37569be6f39c226c6d Author: Andrew Cagney Date: Mon Apr 15 15:09:29 2024 -0400 testing: add drip-outbound packet scripts ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 098109a8aba28bcebc0994284a98d7d4c9a8c977 Author: Andrew Cagney Date: Sun Apr 14 17:28:27 2024 -0400 ikev2: fix deadlocking IKE SA deletes When initiating an IKE SA delete, don't transition the IKE SA to STATE_V2_IKE_SA_DELETE as this causes all inbound requests, such as a crossing IKE SA delete, to be ignored. Instead accept exchanges and assume the exchange processor can handle the crossing stream. For instance receiving a delete IKE SA request while waiting for response just deletes the IKE SA. Also rename the state STATE_V2_IKE_SA_DELETE to the placeholder STATE_V2_ZOMBIE. Once "deleted", the IKE SA should linger for a short while so that it can respond to retransmitted delete IKE SA requests. Later. commit f1f8eb9748a49a3049d29a4da9cd0e2f5bf13ec2 Author: Andrew Cagney Date: Sun Apr 14 17:27:53 2024 -0400 testing: expect "established IKE SA", not STATE_IKESA_DEL ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8d75753b2b21a2f6b4ecc7a1c1b1e4f9bd6feeed Author: Andrew Cagney Date: Mon Apr 15 10:47:21 2024 -0400 testing: make crossing-streams-03-ikev2-delete-ike-vs-child wip it doesn't expect the peer to cross its stream ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3244cd94505791a2741d94a46b096275ce4f0e00 Author: Andrew Cagney Date: Sat Apr 13 17:02:58 2024 -0400 ikev2: delete STATE_V2_CHILD_SA_DELETE, unused commit 2cf2bb02bc097eba6d7e38a2f4948f26170809f5 Author: Andrew Cagney Date: Sat Apr 13 21:03:24 2024 -0400 testing: update whack-globalstatus-01's states ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d6adc544e2d5456af968a2ede1daac936ec798f0 Author: Andrew Cagney Date: Sat Apr 13 16:16:18 2024 -0400 ikev2: don't set unused child transition fields ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 739d73e7cadd4d90fddb2f58055c922e2ff6a37d Author: Andrew Cagney Date: Sat Apr 13 11:24:00 2024 -0400 ikev2: simplify child transitions and states Either it's an IKE state with exchanges or a child state (possibly with a single transtion). Rename the fields: .v2.transitions -> .v2.child_transition .v2.exchanges -> .v2.ike_exchanges to reflect this. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 539222f49a42ba039d70551642a9472589cb84ed Author: Andrew Cagney Date: Sat Apr 13 09:47:16 2024 -0400 ikev2: merge S() and V2_RESPONDER() into V2_STATE() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9157343badeb2d02d498cb6801fcc00fe2821ccc Author: Andrew Cagney Date: Fri Apr 12 22:48:49 2024 -0400 ikev2: move IKE_SA_INIT_R0's transitions to IKE_SA_INIT_exchange ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a0df5037550be9484b6035d80220d5a476629614 Author: Andrew Cagney Date: Fri Apr 12 21:35:15 2024 -0400 ikev2: drop empty state v2.transition arrays ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 46fccdc060f5e6c5a1282730e9c871cbe5b4479a Author: Andrew Cagney Date: Fri Apr 12 15:13:24 2024 -0400 ikev2: add v2_INFORMATIONAL_exchange to handle liveness+mobike requests Unlike Delete and Redirect Informational exchanges, MOBIKE has no simple way of identifying a request. While UPDATE_SA_ADDRESSES signals a MOBIKE exchange so to do exchanges containing NAT_DETECTION_* instead. commit f5589d63aceb8e76c5e17dd8450490cd59829f3b Author: Andrew Cagney Date: Fri Apr 12 15:22:34 2024 -0400 testing: update debug-logs in ikev2-mobike-04, grr ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b52aa750bf610b1a30f75f63160f57e77f5bcf21 Author: Andrew Cagney Date: Thu Apr 11 16:32:36 2024 -0400 ikev2: add v2_INFORMATIONAL_V2DELETE_exchange Largely merge IKE and Child delete code. v2_INFORMATIONAL_v2DELETE_exchange handles all Child SA exchanges, and IKE SA delete requests. v2_INFORMATIONAL_v2DELETE_ike_exchange handles IKE SA initiate/response; for now. Also: - send correct protocol when deleting AH Child SA - save the SA being deleted in the IKE's initiator window - when processing response always delete that SA (greatly simplifying the code and effectively ignoring the response) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f1eb73f400db3b1fe0a864476e75d936f0a99801 Author: Andrew Cagney Date: Thu Apr 11 16:49:05 2024 -0400 ikev2: declare v2_INFORMATIONAL_v2N_REDIRECT_exchange in ikev2_redirect.h Merge: process_v2_INFORMATIONAL_request_v2N_REDIRECT() process_v2_INFORMATIONAL_redirect_request() into: process_v2_INFORMATIONAL_v2N_REDIRECT_request() adding to the exchange as the responder transition and drop call in ikev2_informational.c. Drop do_unroute code intended for IKE_AUTH exchange. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 933e5af9c7213cafdc7011ffaaa00bbbe8a207d2 Author: Andrew Cagney Date: Thu Apr 11 21:52:31 2024 -0400 teseting: update ikev2-mobike-04's debug logs grrr ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 9af3e687062cb6046fb951f6fe74147756716678 Author: Andrew Cagney Date: Thu Apr 11 13:23:25 2024 -0400 ikev2: pass MD to record_v2_INFORMATIONAL_response()'s callback commit 52947ee09e968933e1c670969ac109c8d8482cbc Author: Andrew Cagney Date: Thu Apr 11 16:39:41 2024 -0400 ikev2: declare v2_IKE_AUTH_exchange in ikev2_ike_auth.h ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 93d7688a36dd7159220ed72297e7216194057495 Author: Andrew Cagney Date: Thu Apr 11 11:56:09 2024 -0400 ikev2: beautify transition lookup code's debug logs nicely indented commit e1afa38138dff4b453d0340fab23c9efb9a977ae Author: Andrew Cagney Date: Thu Apr 11 09:23:18 2024 -0400 ikev2: add record_v2_INFORMATIONAL_response() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 56e06ddfcfce80b89d5ab811525e8c024c0fffb3 Author: Andrew Cagney Date: Thu Apr 11 08:02:03 2024 -0400 ikev2: move CREATE_CHILD_SA responder transitions to exchange struct Also note the need for some careful ordering of the transactions so that they match packets. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1fd005516634884757d2d105550f0aef570f8510 Author: Andrew Cagney Date: Wed Apr 10 07:40:04 2024 -0400 ikev2: move redirect exchange responder transitions to ikev2_redirect.c ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e7643a32954bc48f7d693b955007c85e6a3fc469 Author: Andrew Cagney Date: Wed Apr 10 16:15:02 2024 -0400 ikev2: simplify V2_RESPONDER(), don't initialize .v2.transitions they are in v2_exchange.responder; and if a responder state wants to except an exchange it should at it to its exchange list ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f993e3aae5c8445ab6576be651e4590211d41f45 Author: Andrew Cagney Date: Wed Apr 10 14:44:17 2024 -0400 ikev2: consolidate IKE_AUTH(EAP) responder transitions combine duplicates; move all to v2_exchange .responder. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e7d2d23d9e696d53b25783fd85a66aa710de004f Author: Andrew Cagney Date: Wed Apr 10 14:32:44 2024 -0400 ikev2: update complete_protected_but_fatal_exchange() also look for a transition in the state's list of exchanges ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6d3517fffa69ec4f0372f8d41bf6f59ca86949c4 Author: Andrew Cagney Date: Wed Apr 10 13:52:02 2024 -0400 ikev2: move state_v2_IKE_INTERMEDIATE_R to ikev2_ike_intermediate.[hc] This means that the intermediate exchange is self contained. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b0cc29197b73e6ba94d5b1243ef6ef7721d3a010 Author: Andrew Cagney Date: Wed Apr 10 13:56:06 2024 -0400 ikev2: move state_v2_IKE_SA_INIT_R to ikev2_ike_sa_init.[hc] ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6cb4e5c3970bf980d600dd1d02b87a425d40 Author: Andrew Cagney Date: Wed Apr 10 14:08:45 2024 -0400 testing OpenBSD: update to 7.5 - install clang-17 as seems to work?!? commit e312ab2371d1c99b0d4c2cfdf367fc40d95f665c Author: Andrew Cagney Date: Wed Apr 10 14:08:22 2024 -0400 building OpenBSD: use clang-17 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 024a898f09856d1b454dd99c3f21ab8322d0c942 Author: Andrew Cagney Date: Wed Apr 10 10:10:21 2024 -0400 ikev2: use record_v2_INFORMATIONAL_request() to emit delete commit 807101a0a729ebbd480ea41f99c0d22dd68e8a52 Author: Andrew Cagney Date: Wed Apr 10 09:41:19 2024 -0400 ikev2: add record_v2_INFORMATIONAL_request() to ikev2_informational.[hc] replace record_v2_informational_request() in ikev2_send.[hc] ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 0f904ef853a22618ccbe0dbc0c1d7552807e09c4 Author: Andrew Cagney Date: Tue Apr 9 16:23:46 2024 -0400 ikev2: move IKE_INTERMEDIATE exchange responder transitions to ikev2_ike_intermediate.c ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d9745d9c424d819f9597ba0e8c21c6b95aa552f0 Author: Andrew Cagney Date: Tue Apr 9 23:09:31 2024 -0400 ikev2: move IKE_AUTH exchange responder transitions to ikev2_ike_auth.c ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit df5658dacc299629856ac0dc3d7fa032e2073093 Author: Andrew Cagney Date: Wed Apr 10 11:08:49 2024 -0400 testing NetBSD: update to 10.0 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d072c0442285fea6c42b6e9c8e44540e4b7c0dcb Author: Andrew Cagney Date: Tue Apr 9 23:46:25 2024 -0400 ikev2: add delete responder transition to ikev2_delete.c Don't rely on the generic informational code. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f87ac8ea1c12f3efcc5dcac13c0b4172b5c2f81e Author: Andrew Cagney Date: Wed Apr 10 07:47:32 2024 -0400 ikev2: add ... to V2_EXCHANGE() for extra initialization ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1b696cb49c112206f99215a6d40024c7fed5366b Author: Andrew Cagney Date: Tue Apr 9 16:23:46 2024 -0400 ikev2: move IKE_AUTH(EAP) exchange responder transitions to ikev2_eap.c commit 090cbad9c8d6ab73e2607ba85f3fd2d9ec7bf936 Author: Andrew Cagney Date: Tue Apr 9 15:46:19 2024 -0400 ikev2: add struct v2_exchange .responder .start listing transitions for entering into the current exchange commit 6d9096c1124cf8d3a1637d657c106d00043c3e0d Author: Andrew Cagney Date: Tue Apr 9 15:39:48 2024 -0400 ikev2: move transition-not-found log into find_v2_transition()'s callers making find_v2_transition() silent commit 93267cc34028fbdbe1c4957d26f786ee032b9188 Author: Andrew Cagney Date: Tue Apr 9 15:18:06 2024 -0400 ikev2: add find_v2_secured_transition() commit 2e45a96be3df2488cc1baec8f581b85067901abf Author: Andrew Cagney Date: Tue Apr 9 15:10:00 2024 -0400 ikev2: add find_v2_unsecured_transition(), IKE_SA_INIT only commit ddbc3419d6f21bb677c4634058142819f96662b7 Author: Andrew Cagney Date: Wed Apr 10 00:26:31 2024 -0400 testing: update ikev2-mobike-04 ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 92eb68929f8eb935aaf89bf137268e4c41b9a61b Author: Andrew Cagney Date: Tue Apr 9 21:05:08 2024 -0400 ikev2: in is_secured_v2_exchange() check response matches exchange catching it earlier; also update message-dropped logs Follow-up: ikev2: replace sniff_v2_secured_transition() with is_secured_v2_exchange() commit 837d485219cff08ad1bdf4003c7cddf10de47847 Author: Andrew Cagney Date: Tue Apr 9 21:02:22 2024 -0400 testing: in ikev2-07-invalid-xchg expect meaningful dropped message from: no useful state microcode entry found for incoming packet to: unexpected INFORMATIONAL response, expecting IKE_AUTH (authenticate IKE SA); message dropped ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 07e3b135cac4f73ee85bfac031a111d3aae5f8c7 Author: Andrew Cagney Date: Tue Apr 9 17:46:42 2024 -0400 testing: update ikev2-mobike-04's expected debug logs grrr ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit d65247a6f139c866446117ec3bbf15409c1c28c2 Author: Andrew Cagney Date: Tue Apr 9 14:03:01 2024 -0400 ikev2: replace sniff_v2_secured_transition() with is_secured_v2_exchange() Where the latter compares the still encrypted message against the state's permitted exchanges. For a request, the list is in .st_state .v2 .exchanges; and for a response, the exchange is in .st_v2_msgid_window .request .exchange. commit 5ea2e4a08708b29f6bf2f9dacedcb6d48c6071c3 Author: Andrew Cagney Date: Tue Apr 9 13:17:38 2024 -0400 ikev2: add struct v2_exchange .secured Where a secured exchange leads to secured states (add checks). ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 11955c74e314608098d09a329f7c82bd4ddc04aa Author: Andrew Cagney Date: Tue Apr 9 14:11:05 2024 -0400 ikev2: add/set struct v2_exchange .subplot For instance the v2_INFORMATIONAL exchange for MOBIKE has "MOBIKE exchange" as the subplot. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 61417a8ca10f943c300b98584153d23a83ce8229 Author: Andrew Cagney Date: Tue Apr 9 10:54:47 2024 -0400 ikev2: move EAP state definitions to ikev2_eap.c commit e263dd6e5ac9f0e035195266e152c33b274a00c5 Author: Andrew Cagney Date: Tue Apr 9 10:54:10 2024 -0400 ikev2: v2_STATE_R_transition[] -> v2_STATE_responder_transition ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2b2b2753575efbede2db23d6916c1f62b50bc9c0 Author: Andrew Cagney Date: Tue Apr 9 10:48:40 2024 -0400 ikev2: make initiate_v2_CREATE_CHILD_SA_*() static ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit df65d3c3fe3508aa1eb6cbaed4a1efad986841d2 Author: Andrew Cagney Date: Tue Apr 9 07:48:26 2024 -0400 ikev2: check state's exchanges have transitions ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 76c91ee607e96cbd5fb2d9e17d1e6df04e8c8de6 Author: Andrew Cagney Date: Mon Apr 8 21:03:21 2024 -0400 ikev2: check that each transistion's exchange is present commit e8a378c8be316b553270a2ab768d35a81ed690de Author: Andrew Cagney Date: Mon Apr 8 20:55:50 2024 -0400 ikev2: add a list of valid exchanges to more states commit 0cbb06455fd51d339cdfecb136a939bf457ad1c5 Author: Andrew Cagney Date: Mon Apr 8 21:10:44 2024 -0400 ikev2: in v2_msgid_transitions() drop response finite_state checks commit fbf6270b80c74bbd545529fdc0620dfa7bf3f2cc Author: Andrew Cagney Date: Mon Apr 8 21:07:08 2024 -0400 ikev2: drop .v2.transitions (for response) from initiator states list is found in the associated v2_exchange ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a2b7dfc714e521be8bd07fece41226b2504553f9 Author: Andrew Cagney Date: Mon Apr 8 20:39:17 2024 -0400 ikev2: break up init_ikev2_states() ... into validate_state() validate_state_transition() validate_state_exchange() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit caf582396911744924787599f90f233ed35b21b3 Author: Andrew Cagney Date: Sun Apr 7 20:08:34 2024 -0400 ikev2: turn R() into V2_RESPONDER() use ... to define responder states ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 223e9783ed6435494b11073b83c9401cc49a4f9a Author: Andrew Cagney Date: Sun Apr 7 14:01:59 2024 -0400 ikev2: simplify complete_protected_but_fatal_exchange() For respone, use the exchange to find the state that "failed". ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit a1e9783d0fbf155f137b0a68bdaf4b30144d0596 Author: Andrew Cagney Date: Sat Apr 6 19:13:57 2024 -0400 ikev2: move struct v2_exchange for IKE_AUTH to ikev2_ike_auth.c commit ec289c0ffe79dc933c64246022cccfa4c17d9c0a Author: Andrew Cagney Date: Sat Apr 6 19:19:21 2024 -0400 ikev2: move struct v2_exchange for IKE_INTERMEDIATE to ikev2_ike_intermediate.c commit a02677ca7dfc5e58e534fc104e7f8c151c0a96d7 Author: Andrew Cagney Date: Sat Apr 6 18:59:58 2024 -0400 ikev2: move struct v2_exchange for IKE_SA_INIT to ikev2_ike_sa_init.c commit 9fc90a4c502d7e389c5e4daa1e4e2487adc30d00 Author: Andrew Cagney Date: Sat Apr 6 19:16:26 2024 -0400 ikev2: move E() macro to ikev2.h as V2_EXCHANGE() it fills in the details of an exchange and states ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 17d7a892a6e7ff9362e126554f1e3f9a52703df1
Author: Andrew Cagney
Date: Sat Apr 6 18:05:36 2024 -0400
CHANGES: ikev1's ah changed
commit 1054b7bf56a6bc9ee34828bbe6bc713c95a1b312
Author: Andrew Cagney
Date: Sat Apr 6 18:04:29 2024 -0400
ikev1: add sha2{256,512} to AH
commit f63bfcb81ebcc6233e4683a7ca953171c6407d46
Author: Andrew Cagney
Date: Sat Apr 6 18:04:14 2024 -0400
testing: update IKEv1 AH proposals
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit ab14365105d250c593b3703bf9fd9f69ff53bfb3 Author: Andrew Cagney Date: Fri Apr 5 19:33:29 2024 -0400 ikev2: delete process_v2_INFORMATIONAL_response() replaced by per-exchange callbacks commit 331abb492528b03fd115baae0bc02271ffed566c Author: Andrew Cagney Date: Fri Apr 5 16:08:58 2024 -0400 ikev2: move mobike response code to mobike exchange ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 85a6b9fcfab3d6aa23ecf423086482645ade88c8
Author: Andrew Cagney
Date: Fri Apr 5 15:11:19 2024 -0400
ikev1: merge {main,aggr}_auth_method()
authby=rsasig+secret was dropped in v4.7
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 856cbd4e07cef6ab19e792359c168501e6f89b5a Author: Andrew Cagney Date: Fri Apr 5 16:08:03 2024 -0400 testing: in certoe-19-bareshunts-expire expect XXs not -1s the test flip-flops and the less common value was pushed ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1ba54eef3afd93819a97a4757599f0a64001d0f9 Author: Andrew Cagney Date: Fri Apr 5 15:16:33 2024 -0400 ikev2: move delete sa response transitions into corresponding exchange commit 3621bde6dcfb1884e4836e7858619641f15584fd Author: Andrew Cagney Date: Fri Apr 5 12:58:09 2024 -0400 ikev2: be more consistent with v2_transition names ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 08bf915f5e57b634c0665d6e5672005e6217d00b Author: Andrew Cagney Date: Fri Apr 5 15:55:58 2024 -0400 CHANGES: IKEv1: limit default cryptosuite ... ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 14a53bd4aaa44a320b48ca6360034c6d86bcf283 Author: Andrew Cagney Date: Fri Apr 5 14:16:38 2024 -0400 ikev1: delete IKEv1_oakley_aggr_mode_db_sa() and its tables commit 721af14c47ee90b1e37300eafeff4ce64a91bd22 Author: Andrew Cagney Date: Fri Apr 5 14:10:11 2024 -0400 ikev1: delete IKEv1_oakley_main_mode_db_sa() and its tables no longer needed ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 2079da742858675a0279c9fa356561dbfe0de824
Author: Andrew Cagney
Date: Fri Apr 5 10:39:49 2024 -0400
ikev1: pass ikev1_auth_method, not sadb, into ikev1_out_oakley_sa()
In ikev1_out_{aggr,main}_sa() to compute value directly (but also
cross check result with old SADB magic).
commit f522d965f551d30e973c4e73c5caa6028f6a16ca
Author: Andrew Cagney
Date: Fri Apr 5 10:33:58 2024 -0400
ikev1: add ikev1_out_{aggr,main}_sa(), make ikev1_out_oakley_sa() static
commit aa85d1854f7f1c8741637d55253c9f4a2595b5f2
Author: Andrew Cagney
Date: Fri Apr 5 10:11:24 2024 -0400
ikev1: inline v1_ike_alg_make_sadb(), simplify
can assume c->config->ike_proposals is non-NULL
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit dc1cdf66e47087906da92cdda9f4f2dd40609558 Author: Andrew Cagney Date: Fri Apr 5 13:55:49 2024 -0400 ikev1: add DH31 to IKEv1 defaults expected by some versions of strongswan commit b960a1d6547236efd8d9e2c4d1176ce75ba803d8 Author: Andrew Cagney Date: Fri Apr 5 13:55:27 2024 -0400 testing: expect dh31 in IKEv1 output ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 5333bc700d7002755bff5381a11760bd36d4f13f Author: Andrew Cagney Date: Fri Apr 5 11:22:29 2024 -0400 ikev2: move redirect response transition into redirect specific exchange ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 7798d8630c99d75f4af95a147aeb428178909cfa Author: Andrew Cagney Date: Fri Apr 5 08:18:06 2024 -0400 ikev2: move liveness response transitions to liveness exchange struct ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 8dfb7318bb2803514cff2230cb81eb2a03024a5b Author: Andrew Cagney Date: Thu Apr 4 22:03:11 2024 -0400 ikev2: move CREATE_CHILD_SA response transitions into v2_CREATE_CHILD_SA_*_exchange commit 510ba4acee8677c66a523fc52824c0760b168a4a Author: Andrew Cagney Date: Thu Apr 4 21:15:08 2024 -0400 ikev2: dump each state's exchanges commit 161174b572cfa3cf000b8a841535065ab8a35a5c Author: Andrew Cagney Date: Thu Apr 4 21:07:09 2024 -0400 ikev2: add a list of valid exchanges to IKE_SA_INIT_R commit dc25904bf31c71995a7de7f65aaf1c3e2ce76f16 Author: Andrew Cagney Date: Thu Apr 4 21:10:57 2024 -0400 ikev2: add struct v2_exchange .type, set ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e3785be4ecb63ac0525a7566f995c75e3290bb8c Author: Andrew Cagney Date: Fri Apr 5 07:44:18 2024 -0400 ikev1: when no esp=, always use default ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b05734d013e9df65f4e341cb90134786e643f894 Author: Andrew Cagney Date: Thu Apr 4 15:55:10 2024 -0400 ikev1: add dh19 aka secp256r1 to default IKE proposals commit 17f20020755246cc9ecaf699bf0914db3fb51c4e Author: Andrew Cagney Date: Thu Apr 4 21:41:29 2024 -0400 testing: update IKEv1 IKE algorithms ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 17cd1fcf15c82e0e3608eb13afbe3d3da5506bdb Author: Andrew Cagney Date: Thu Apr 4 13:58:40 2024 -0400 ikev2: struct v2_state_transition -> v2_transition I's being tied to the exchange, not the state. commit 228f38806129d062de84c763dd888a7296be31a0 Author: Andrew Cagney Date: Thu Apr 4 13:58:00 2024 -0400 ikev2: add struct v2_transitions .respond to struct v2_exchange and update initializers ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 6ea48a60ddff4acc7cff4d5be5941c23e728acda
Author: Andrew Cagney
Date: Wed Apr 3 16:43:18 2024 -0400
ikev1: add AES_GCM_16_{128,256} and SHA2_{256,512} to ESP proposals
commit 92eae5c172cc0e193eb91db4fdfcc72d19c72eaa
Author: Andrew Cagney
Date: Thu Apr 4 08:12:42 2024 -0400
testing: update expect IKEv1 algorithms
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] ABORT: ASSERTION FAILED - bug?
On Wed, 3 Apr 2024 at 18:22, Bán László via Swan
wrote:
>
> Hi Paul,
>
> there is an IKEv2 IPSec connection (the device on the other side is a
> Palo Alto), where one side has one (leftsubnet) and ~12 subnets
> (rightsubnets) on the other side.
> When expanding righsubnets, the following was logged by libreswan and
> died. The current libreswan version is 4.3.
> My question is, what could have caused this? maybe this is already known?
The create-child code was overhauled around 4.5. I would recommend
updating to the latest 4.x or 5.0rc.
> pluto[19191]: "test/0x11" #36161: negotiated connection
> [10.10.10.0-10.10.10.255:0-65535 0] -> [10.20.0.0-10.20.255.255:0-65535 0]
> pluto[19191]: "test/0x11" #36161: IPsec SA established tunnel mode
> {ESP=>0xfc554696 <0x31268fc3 xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP2048
> NATOA=none NATD=none DPD=active}
> pluto[19191]: "test/0x13" #36163: sent CREATE_CHILD_SA request for new
> IPsec SA
> pluto[19191]: "test/0x13" #36163: state transition 'Process
> CREATE_CHILD_SA IPsec SA Response' failed with v2N_TS_UNACCEPTABLE
> pluto[19191]: "test/0x13" #36163: STATE_V2_NEW_CHILD_I1: retransmission;
> will wait 0.5 seconds for response
> pluto[19191]: ABORT: ASSERTION FAILED: *chosen_proposal == NULL (in
> ikev2_process_sa_payload() at ikev2_spdb_struct.c:1142)
>
>
>
> Thank you for your help!
> laca
>
>
>
> --
> Bán László
> Andrews IT Engineering Kft.
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit f22cdff0d398e82826e1c7461a90425d665d966b Author: Andrew Cagney Date: Wed Apr 3 10:11:04 2024 -0400 ikev2: #define E() to build the struct v2_exchange structure Use to build IKE_SA_INIT and IKE_INTERMEDIATE exchanges commit 6731380fae60c2490d13dc07f1949556c3786bcb Author: Andrew Cagney Date: Wed Apr 3 21:21:20 2024 -0400 ikev2: don't assume exchanges have same transitions as state.transitions ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 701b97304333ecf79b1340a351de2f60ed4171e0 Author: Andrew Cagney Date: Wed Apr 3 18:27:28 2024 -0400 lib: in FOR_EACH_ITEM() skip NULL list ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 731b36cd2e432856fbedd27d469deda2e1c03911 Author: Andrew Cagney Date: Wed Apr 3 18:18:57 2024 -0400 CHANGES: building: remove dependency on libxz via libsystemd ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6cca5e4adee5a2126403483d77752f951525de40 Author: Andrew Cagney Date: Wed Apr 3 16:16:33 2024 -0400 testing kvm: drop systemd-devel from linux and debian package list ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4eda4c0763beaa54a29e4cf962309c4e297cda0f Author: Andrew Cagney Date: Wed Apr 3 17:06:07 2024 -0400 systemd: add/use liblswsd.a to replace libxz via libsystemd dependency based on documentation and https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Notes ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit e3ecc342b9be0801e3010007fb376a506f19a67f Author: Andrew Cagney Date: Tue Apr 2 22:44:57 2024 -0400 ikev1: delete no-longer-used IKEv1_ipsec_db_sa() ... along with the hardwired ESP/AH tables commit 454bb3845e2bd363c16b9e7dc5f48b103bfb6aa0 Author: Andrew Cagney Date: Tue Apr 2 22:43:14 2024 -0400 ikev1: split ikev1_out_sa() ... into ikev1_out_oakley_sa() and ikev1_out_quick_sa() commit 1f4018bf4b8584bd187008f979f93ac34f5b7ac6 Author: Andrew Cagney Date: Tue Apr 2 22:08:42 2024 -0400 ikev1: handle adding ipcomp in v1_kernel_alg_makedb() simplifying ikev1_out_sa() commit 6bf9986507c4f04b1df980c6a6fb1a2ec77c84f4 Author: Andrew Cagney Date: Tue Apr 2 22:00:12 2024 -0400 ikev1: simplify v1_kernel_alg_makedb() assume the connection contains a proposal ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3fc28003d091fb88940c1ded51e4ff6415aebf8e Author: Andrew Cagney Date: Tue Apr 2 15:12:33 2024 -0400 ikev2: add struct v2_transitions .response to struct v2_exchange For now use the same transition list as the corresponding state. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 84ebd5ccdefe965b7de5574a228ed32e4e45 Author: Andrew Cagney Date: Tue Apr 2 14:18:05 2024 -0400 ikev2: change struct finite_state .v2 .transitions to a pointer ... to const struct v2_transitions ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 506cb5fbd2415ef14e100728d4b960a3bd463fad Author: Andrew Cagney Date: Tue Apr 2 13:15:48 2024 -0400 ikev2: move IKE_SA_DEL_process_v2_INFORMATIONAL_response() to ikev2_delete.c ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 345b7a62a6227b2d0420cc13b5a0753259ce46f9
Author: Andrew Cagney
Date: Tue Apr 2 13:11:50 2024 -0400
ikev2: P() -> v2P(), and expand {req,opt}_{enc,clear}_payloads
commit 4e0f8e1002ad2924ad33ab1c6f87d52e3f666b7c
Author: Andrew Cagney
Date: Tue Apr 2 13:11:28 2024 -0400
ikev1: P() -> v1P()
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 88cb1c7f1ff69c0c60d71512a6cc1009069d31b2 Author: Andrew Cagney Date: Tue Apr 2 09:55:20 2024 -0400 ikev2: pass the struct v2_transitions to search into find_v2_transitions() replace find_v2_state_transitions(struct finite_state). Use v2_msgid_transitions() (replacing v2_msgid_state()) to get the transitions for a given message/exchange (including IKE_SA_INIT response). ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits:
commit 3eeedccf627f512320c67e5e4c27439a26a207f0
Author: Andrew Cagney
Date: Tue Apr 2 10:30:47 2024 -0400
ikev2: add struct v2_transitions{.len,.list}, use in struct finite_state
make passing around transitions easier
___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
Re: [Swan] Libreswan 5.0rc2 cannot start on debian bullseye
On Tue, 2 Apr 2024 at 09:30, antonio via Swan wrote: > > Solved, it was an issue with the kernel…by mistake I was loading an old > kernel linux-image-3.16.0-4-amd64 boot it with a newer kernel and it's ok. > Sorry. Thanks for following this up. I guess this was the fineprint: > [1711649620] libunbound[20384:0] error: nettle random(yarrow) cannot > initialize, getentropy failed: Function not implemented I see what happened next isn't pretty. The message was misleading, and the shutdown was a mess: > Mar 28 19:13:40.674728: FATAL ERROR: failed to initialize unbound libevent > ABI, please recompile libunbound with libevent support or recompile libreswan > without USE_DNSSEC > Mar 28 19:13:40.674846: WARNING: helper threads still running > Mar 28 19:13:40.675075: helper(1): seccomp security for helper not supported > Mar 28 19:13:40.677629: FATAL: ASSERTION FAILED: event_initialized(ev) > (free_signal_handlers() +448 programs/pluto/server.c) > Aborted file a bug if you want. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2d9e45899bcdb1b035b5ff860273caa8afca3365 Author: Andrew Cagney Date: Mon Apr 1 23:43:38 2024 -0400 ikev2: in process_packet_with_secured_ike_sa() use .exchange for response When looking for the transition to process an exchange response use struct v2_msgid_window .exchange. For moment check it is consistent with .st_state. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 1832284c06128c7f2813c3432ad7a8e4f187b052 Author: Andrew Cagney Date: Mon Apr 1 19:07:45 2024 -0400 ikev2: add struct v2_msgid_window .exchange, set when initiating ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 29e496c89d146e47c2d76b474ff3aea52472bdb2 Author: Andrew Cagney Date: Mon Apr 1 17:33:59 2024 -0400 mobike: in record_n_send_v2_mobike_probe_request() use v2_msgid_start_record_n_send() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit b29b2f45f9f12096fbdba7a25322f86ec55cdeff Author: Andrew Cagney Date: Mon Apr 1 13:47:31 2024 -0400 ikev2: define struct v2_exchange, pass to next_v2_exchange() replacing next_v2_transition(). An exchange is, conceptually, both the outgoing request and incoming response. ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 760924f76bacabc5df99ec350a54c6559e5c6462 Author: Andrew Cagney Date: Mon Apr 1 10:32:13 2024 -0400 ikev2: another printf msgid fix - %jd ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 4b83bdc54edc31da851ce70e5c669edc6f976bfe Author: Andrew Cagney Date: Mon Apr 1 10:30:54 2024 -0400 ikev2: fix printf msgid ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 3b6e7de56b25fa8d4e4288b08ffd33428cb23bc6 Author: Andrew Cagney Date: Mon Apr 1 08:28:18 2024 -0400 state: make .st_offloaded_task_in_background IKEv1 only again IKEv2 is using .v2_msgid_window ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 2c6260cc166ea664a6d66c293779aa4a15457bcd Author: Andrew Cagney Date: Mon Apr 1 09:29:50 2024 -0400 ikev2: pass WHERE down to the msgid code ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
[Swan-commit] Changes to ref refs/heads/main
New commits: commit 6d941f4af4d454041456fe3d5c4a6a80d307b340 Author: Andrew Cagney Date: Mon Apr 1 08:55:44 2024 -0400 ikev2: pass WHERE into pexpect_v2_msgid() ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit
