On Mon, 25 Sep 2017, Nathan Coulson wrote:
we upgraded from libreswan-3.15-5.el7_1.x86_64 to
libreswan-3.20-3.el7.x86_64, and since then have been having issues with
libreswan selecting the wrong tunnel.
We use this for 2 setups, a screenos (Juniper SSGv5), and a roadwarrior
strongswan setup.
The setup looks fine (although I personally tend to use leftid=@foo /
rightid=@bar strings for dedicated static tunnels)
Now, we are receiving
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1:
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128
integ=sha1_96 prf=sha group=MODP1024}
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: EXPECTATION
FAILED: r != NULL (in ikev2_decode_peer_id_and_certs at ikev2.c:1390)
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: Peer
attempted PSK authentication but we want rsasig
Sep 25 16:36:11 tunnel1 pluto[19585]: "rwarrior"[1] 2.3.4.5 #1: sending
unencrypted notification v2N_AUTHENTICATION_FAILED to 2.3.4.5:500
Sep 25 16:36:11 tunnel1 pluto[19585]: | ikev2_parent_inI2outR2_tail returned
STF_FATAL
There were some refine_host() connection changes in 3.21. Is it possible
to try that one and see if your issue is resolved? You can find rpms at:
https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.21-2.el7.centos.x86_64.rpm
If you still see this problem, could you run ipsec whack --debug-all
and then attempt to connect, and mail me (offlist) the logs?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
