[Swan] Problems with tunnel selection since upgrading to libreswan-3.20-3.el7.x86_64

Mon, 25 Sep 2017 17:03:57 -0700 

Hello,
we upgraded from libreswan-3.15-5.el7_1.x86_64 to libreswan-3.20-3.el7.x86_64, and since then have been having issues with libreswan selecting the wrong tunnel. 


We use this for 2 setups,  a screenos (Juniper SSGv5), and a roadwarrior 
strongswan setup.


(Modified to remove some information)

conn pv_isp
        ike=aes-sha;modp1024
        phase2alg=aes-sha;modp1024
        authby=secret
        keyingtries=0
        ikev2=yes
        left=2.3.4.5
        leftsubnet=192.168.2.0/24
        leftsourceip=192.168.2.254
        right=1.2.3.4
        rightsubnet=172.16.0.0/16
        rightsourceip=172.16.0.4
        type=tunnel
        auto=add

conn pv_isp2
        ike=aes-sha;modp1024
        phase2alg=aes-sha;modp1024
        authby=secret
        keyingtries=0
        ikev2=yes
        left=4.5.6.7
        leftsubnet=192.168.2.0/24
        leftsourceip=192.168.2.254
        right=1.2.3.4
        rightsubnet=172.16.0.0/16
        rightsourceip=172.16.0.4
        type=tunnel
        auto=add

conn rwarrior
       ike=aes-sha;modp1024
       authby=rsasig
       ikev2=yes
       leftid=@rwarrior
       left=%any
       leftsubnet=192.168.0.0/16
       right=1.2.3.4
       rightsubnet=172.16.0.0/16
       rightsourceip=172.16.0.4
       leftrsasigkey=0s...
       rightrsasigkey=0s...
       dpddelay=30
       dpdtimeout=240
       dpdaction=clear
       type=tunnel
       auto=add



What we want to happen, is when 2.3.4.5 (left pv_isp) connects to 
1.2.3.4 (right pv_isp), it uses the pv_isp tunnel.  (ps_isp2 is a backup 
tunnel in case the first fails, we only have one connected at once).




I believe the old behavior was it would use the rwarrior setup, then 
switch to pv_isp during tunnel setup.



Now, we are receiving


Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 
integ=sha1_96 prf=sha group=MODP1024}
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: 
EXPECTATION FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at 
ikev2.c:1390)
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: Peer 
attempted PSK authentication but we want rsasig
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: sending 
unencrypted notification v2N_AUTHENTICATION_FAILED to 2.3.4.5:500
Sep 25 16:36:11 tunnel1 pluto[19585]: | ikev2_parent_inI2outR2_tail 
returned STF_FATAL




Removing the rwarrior conn above fixes it. but not ideal


(Also the weak ike= on the rwarrior setup was due to screenos using 
modp1024, and trying to use that connection instead if the pv_isp ones).


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to