On Wed, 13 Jul 2016, D. Hugh Redelmeier wrote:
There were some new failures that should be looked at. Perhaps the
reference logs are wrong.
--- MASTER/nflog-02-conn/west.console.txt
+++ OUTPUT/nflog-02-conn/west.console.txt
@@ -85,11 +85,11 @@
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
-8 packets captured
-8 packets received by filter
-0 packets dropped by kernel
64 bytes from 192.0.2.254: icmp_seq=5 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
+10 packets captured
+10 packets received by filter
+0 packets dropped by kernel
5 packets transmitted, 5 received, 0% packet loss, time XXXX
I see this change too. Seems timing related?
--- MASTER/interop-ikev1-strongswan-12-esp-sha2_256/west.console.txt
+++ OUTPUT/interop-ikev1-strongswan-12-esp-sha2_256/west.console.txt
@@ -98,9 +98,9 @@
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev1[1]: ESTABLISHED XXX seconds ago,
192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev1[1]: IKEv1 SPIs: SPISPI_i* SPISPI_r, pre-shared key
reauthentication in 2 hours
-westnet-eastnet-ikev1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
+westnet-eastnet-ikev1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
westnet-eastnet-ikev1{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i
SPISPI_o
-westnet-eastnet-ikev1{1}: AES_CBC_128/HMAC_SHA2_256_128/MODP_1536, XXX
bytes_i (4 pkts, XXs ago), XXX bytes_o (4 pkts, !
+westnet-eastnet-ikev1{1}: AES_CBC_128/HMAC_SHA2_256_128, XXX bytes_i (4 pkts,
XXs ago), XXX bytes_o (4 pkts, XXs ago), !
westnet-eastnet-ikev1{1}: 192.0.1.0/24 === 192.0.2.0/24
sha1 instead of sha256? Could it be an older strongswan?
I cannot reproduce it with strongswan 5.4.0
--- MASTER/interop-ikev1-strongswan-13-esp-sha2_512/west.console.txt
+++ OUTPUT/interop-ikev1-strongswan-13-esp-sha2_512/west.console.txt
@@ -98,10 +98,10 @@
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev1[1]: ESTABLISHED XXX seconds ago,
192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev1[1]: IKEv1 SPIs: SPISPI_i* SPISPI_r, pre-shared key
reauthentication in 2 hours
-westnet-eastnet-ikev1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
+westnet-eastnet-ikev1[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Same.
================
--- MASTER/interop-ikev1-strongswan-14-camellia/east.console.txt
+++ OUTPUT/interop-ikev1-strongswan-14-camellia/east.console.txt
@@ -40,8 +40,8 @@
westnet-eastnet-ikev1[1]: IKEv1 SPIs: SPISPI_i SPISPI_r*, pre-shared key
reauthentication in 2 hours
westnet-eastnet-ikev1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
westnet-eastnet-ikev1{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i
SPISPI_o
-westnet-eastnet-ikev1{1}: CAMELLIA_CBC_256/HMAC_SHA1_96/MODP_2048, XXX
bytes_i (4 pkts, XXs ago), XXX bytes_o (4 pkts, !
-westnet-eastnet-ikev1{1}: 192.0.2.0/24 === 192.0.1.0/24
+westnet-eastnet-ikev1{1}: CAMELLIA_CBC_256/HMAC_SHA1_96, XXX bytes_i (4 pkts,
XXs ago), XXX bytes_o (4 pkts, XXs ago), !
+westnet-eastnet-ikev1{1}: 192.0.2.0/24 === 192.0.1.0/24
Mine also just works fine. So I do suspect strongswan version here too.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
