Hi,
after discussing on irc, thanks to blieve and LetoTo:
3:50:13 PM - bleve: […] bad combination of glibc and kernel headers.
3:51:01 PM - bleve: https://libreswan.org/wiki/3.21_on_Debian_Wheezy
3:51:20 PM - bleve:
https://libreswan.org/wiki/3.21_on_Debian_Wheezy#Workaround_:_enable_header_files_workaround
So to compile in debian jessie in my case i just did:
cd libreswan
echo USE_GLIBC_KERN_FLIP_HEADERS=true >> Makefile.inc.local
make programs
make install
...
Master branch works if i set "main mode" instead of "aggresive mode" in
shrew client.
forcing 'aggressive mode' in shrew it looks to be a bug on shrew
implementation from the log line:
xauth-aggr"[1] 192.168.1.138 #1: length of ISAKMP Hash Payload is larger
than can fit
Full log can be checked in: https://pastebin.com/4cNSuHAh
In version 3.25 shrew can be use by setting "main mode"..
On 06/27/2018 01:23 PM, antonio wrote:
Hi Paul,
I try directly git master and also version 3.24 (git checkout v3.24)
but i can't compile, it gives me the error:
In file included from
/usr/src/libreswan/programs/pluto/linux-copy/linux/xfrm.h:5:0,
from
/usr/src/libreswan/programs/pluto/kernel_netlink.c:56:
/usr/include/netinet/in.h:99:5: error: expected identifier before
numeric constant
IPPROTO_HOPOPTS = 0, /* IPv6 Hop-by-Hop options. */
More in:
https://pastebin.com/8B7zKDSE
I'm trying to compile it on debian jessie.
As for the configuration of shrew i use most of the default values, i
only set:
- general -> remote hostname
- authentication -> authentitacion method: mutual psk+xauth
- authentication -> credentials -> pre shared key
I've trying to force phase 1 and phase 2 different parameters
combination to make it work without success.
I did a git bisect between version 3.20 and 3.21, result:
5bd36a6ff9420652a563a30662be8b550ccf04d2 is the first bad commit
commit 5bd36a6ff9420652a563a30662be8b550ccf04d2
Author: Paul Wouters <[email protected]>
Date: Fri May 19 15:54:54 2017 -0400
IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads
- Fixup CERT / CERTREQ handling
- Don't give "weak warning" for aggrissive mode with RSA (only for
PSK)
- Cleanups (eg use c instead of st->st_connection)
:040000 040000 23c6b5650f9fc7891edaad633c4565df06ff20da
03d13f11b6d9211ffdaab401eb73a01bc6c9d61a M programs
To make sure on every step i did:
make clean; make programs; make install; systemctl restart ipsec
My tunnel configuration:
conn xauth-aggr
aggrmode=yes
also=xauth
conn xauth
pfs=no
type=tunnel
auto=add
phase2=esp
sha2-truncbug=yes
authby=secret
keyingtries=3
ikelifetime=8h
salifetime=1h
left=192.168.1.137
leftsubnet=0.0.0.0/0
leftid=192.168.1.137
right=%any
rightid=%any
rightaddresspool=192.168.20.2-192.168.20.10
dpddelay=10
dpdtimeout=30
dpdaction=clear
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
ike-frag=yes
#xauthby=pam
xauthby=alwaysok
Secrets:
192.168.1.137 : PSK "1234"
On 06/08/2018 08:03 PM, Paul Wouters wrote:
On Fri, 8 Jun 2018, antonio wrote:
cannot connect with shrew soft vpnclient to libreswan 3.24 (last
version that worked was in version 3.20) with psk+xauth:
(this was 3.23 as explained)
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: STATE_AGGR_R1: sent AR1, expecting AI2
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: Peer ID is ID_IPV4_ADDR: '192.168.10.170'
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: received Hash Payload does not match computed value
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: sending encrypted notification INVALID_HASH_INFORMATION to
192.168.10.170:33388
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: next payload type of ISAKMP Hash Payload has an unknown
value: 218 (0xda)
Jun 08 15:27:46 sol pluto[18056]: "tunnel8-aggr"[1] 192.168.10.170
#3: malformed payload in packet
The log when connecting with version 3.20:
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: STATE_AGGR_R1: sent AR1, expecting AI2
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: new NAT mapping for #3, was 192.168.10.170:33388, now
192.168.10.170:40182
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=md5 group=MODP1024}
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28
Jun 08 15:24:34 sol pluto[12290]: | ISAKMP Notification Payload
Jun 08 15:24:34 sol pluto[12290]: | 00 00 00 1c 00 00 00 01 01
10 60 02
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: received and ignored informational message
Jun 08 15:24:34 sol pluto[12290]: | event EVENT_v1_SEND_XAUTH #3
STATE_AGGR_R2
Jun 08 15:24:34 sol pluto[12290]: "tunnel8-aggr"[2] 192.168.10.170
#3: XAUTH: Sending Username/Password request (XAUTH_R0)
Would you be able to test 3.21 / 3.22 or maybe do a git bisect to help?
Or alternatively, if you can give me a shrew client config and the
libreswan server cofig, then I can try and run a git bisect to find
the issue.
Although perhaps first you can try and use a 3.24rcX candicate from
download.libreswan.org/development/ and see if the problem got fixed
already?
Paul
--
Saludos / Regards / Cumprimentos
Anónio Silva
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
--
Saludos / Regards / Cumprimentos
Anónio Silva
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
