[Swan] IPv6 host-to-host using klips

Fri, 09 Oct 2015 09:56:29 -0700 

Hi,
Running libreswan 3.15 on Centos 7. I'm trying to setup a host-host tunnel between two IPv6 endpoints on the same subnet. Using the following configuration: 

config setup
    protostack=klips
    interfaces="ipsec0=eth0"

conn mytunnel
    left=2001:470:dc8c:1000::28:60
    right=2001:470:dc8c:1000::28:70
    connaddrfamily=ipv6
    authby=secret
    auto=add

conn v6neighbor-hole-in
    left=::1
    leftsubnet=::0/0
    leftprotoport=58/34560
    rightprotoport=58/34816
    rightsubnet=::0/0
    right=::0
    connaddrfamily=ipv6
    authby=never
    type=passthrough
    auto=route
    priority=1

conn v6neighbor-hole-out
    left=::1
    leftsubnet=::0/0
    leftprotoport=58/34816
    rightprotoport=58/34560
    rightsubnet=::0/0
    right=::0
    connaddrfamily=ipv6
    authby=never
    type=passthrough
    auto=route
    priority=1

When I try to bring up the tunnel I get the following output:

On host 28:60:

[root@vpn-f1 ~]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating Main Mode
104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
003 "mytunnel" #1: received Vendor ID payload [RFC 3947]

002 "mytunnel" #1: enabling possible NAT-traversal with method RFC 3947 
(NAT-Traversal)
002 "mytunnel" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2

106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "mytunnel" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) 
sender port 500: no NAT detected
002 "mytunnel" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3

108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]

002 "mytunnel" #1: Main mode peer ID is ID_IPV6_ADDR: 
'2001:470:dc8c:1000::28:70'
002 "mytunnel" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "mytunnel" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
{using isakmp#1 msgid:c4b5581b proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}

117 "mytunnel" #2: STATE_QUICK_I1: initiate

002 "mytunnel" #2: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
mode {ESP=>0x19bf43c9 <0x291c2985 xfrm=AES_128-HMAC_SHA1 NATOA=none 
NATD=none DPD=passive}


On host 28:70:

[root@vpn-f1 ~]# ipsec auto --up mytunnel

002 "mytunnel" #3: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
{using isakmp#1 msgid:bc8dedb6 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}

117 "mytunnel" #3: STATE_QUICK_I1: initiate

010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 500ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 1000ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 2000ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 4000ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 8000ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 16000ms for 
response
010 "mytunnel" #3: STATE_QUICK_I1: retransmission; will wait 32000ms for 
response
031 "mytunnel" #3: max number of retransmissions (8) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal

002 "mytunnel" #3: deleting state #3 (STATE_QUICK_I1)


If I use netkey instead of klips the tunnel is successfully setup. Am I 
missing any necessary configuration options for klips?



Another thing. When I browsed the archives I noticed the post 
https://lists.libreswan.org/pipermail/swan/2015/001168.html. Don't know 
if that ever got resolved. This is just a long shot but we experienced 
memory leak issues with pluto when there was a PFS group mismatch on a 
large number of tunnels (approx. 40). The following patch mitigated our 
issue:


--- a/programs/pluto/ikev1_quick.c
+++ b/programs/pluto/ikev1_quick.c
@@ -2252,6 +2252,10 @@ static void quick_inI1_outR1_cryptocontinue1(

complete_v1_state_transition(&qke->qke_md, e);
                                release_any_md(&qke->qke_md);
                        }
+               } else if (e == STF_FAIL + NO_PROPOSAL_CHOSEN) {
+                       /* No PFS */
+                       if(md)
+                               release_md(qke->qke_md);
                }
        }
        reset_cur_state();
@@ -2300,6 +2304,10 @@ static void quick_inI1_outR1_cryptocontinue2(
                        complete_v1_state_transition(&dh->dh_md, e);
                        release_any_md(&dh->dh_md);
                }
+       } else if (e == STF_FAIL + NO_PROPOSAL_CHOSEN) {
+               /* No PFS */
+               if(dh->dh_md)
+                       release_md(dh->dh_md);
        }

        reset_cur_state();

Thanks in advance,

/Erik
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to