Note the initiator=0 in these log lines: May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike #3.PARENT_R2receiver #8.V2_IPSEC_R request 1; ike.initiator: sent=-1 recv=-1; ike.responder: sent=0 recv=0->1; receiver.wip: initiator=0 responder=0 May 28 21:12:44 bar-host-01 pluto[27621]: | Message ID: ike #3.PARENT_R2sender #8.V2_IPSEC_R response 1; ike.initiator: sent=-1 recv=-1; ike.responder: sent=0->1 recv=1; sender.wip: initiator=0 responder=0
it should have been initiator=-1 since it wasn't initiating an exchange. This wrong value leads to: May 28 21:12:46 bar-host-01 pluto[27621]: | State DB: IKEv2 state object #8 found, in STATE_V2_IPSEC_R (find_v2_sa_by_initiator_mip) when the search should fail. It should be fixed by: https://github.com/libreswan/libreswan/commit/46bac3061acc78e41cf0516c90a3390ea84def65 The "cause" should be: https://github.com/libreswan/libreswan/commit/55f09de1e95b3ff3935da17475dd77a221ff7f14 et.al., which removed the crutch and exposing the problem. -- Is there a test where the IKE initiator then adds 2 CHILD SAs? Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
