Re: [Swan] microcode entry

[Computerisms Corporation]

You are a genius and gentleman, thank you.  must have checked that a 
dozen times last night, but this morning I did find a subnet mismatch. 
problem solved.

Upgrading to .29 definitely broke a bunch of my connections, though. 
The newest one I have investigated so far that broke is a .25 install on 
Debian Stretch.  I suspect the issue is less the libreswan software and 
more an outdated debian package, but I haven't confirmed yet.  Seems all 
the systems running Buster are good, but those also all have .28 installed.

On 2019-08-12 6:08 a.m., Paul Wouters wrote:
TS_UNACCEPTABLE means the traffic selectors are not matching. Check 
left/rightsubnet and left/rightprotoports

Sent from mobile device

On Aug 12, 2019, at 04:03, Computerisms Corporation <b...@computerisms.ca> 
wrote:

Hi Paul,

you are correct, the NO_PROPOSAL_CHOSEN message did show up immediately after 
the algorithms are listed in the log.  In the past when I have seen that it is 
because the security paramaters are not correct, but I haven't seen it between 
two versions of libreswan before, I don't think.  The local side was running 
.22, so I upgraded that to .29 as well.

That fixed the proposal error and broke connections with all the older builds, 
but something still not right.  Enough for tonight, will tackle it again in the 
morning.  But here are the remote logs:

Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local IKE 
proposals for computerisms2rrdc (IKE SA initiator selecting KE): 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
 
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
 (default)
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #1: STATE_PARENT_I1: 
sent v2I1, expected v2R1
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc": constructed local 
ESP/AH proposals for computerisms2rrdc (IKE SA initiator emitting ESP/AH proposals): 
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: STATE_PARENT_I2: 
sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 
group=MODP2048}

Aug 12 00:56:12 rrwall pluto[11679]: "computerisms2rrdc" #2: IKE_AUTH response 
contained the error notification TS_UNACCEPTABLE

On 2019-08-11 7:44 p.m., Paul Wouters wrote:
Seems a misconfiguration. The Notify you receive should contain an indicator, 
eg NO PROPOSAL CHOSEN or AUTH FAILED
Sent from mobile device
On Aug 11, 2019, at 21:45, Computerisms Corporation <b...@computerisms.ca> 
wrote:

quick follow up; didn't notice that .29 was available, just tried upgrading it, 
but getting the same error.

On 2019-08-11 6:09 p.m., Computerisms Corporation wrote:
Hi,
I setup a net to net tunnel, following the procedure I normally follow (at 
least presuming I didn't make a mistake that I can't find), using 3.28.  I have 
patched the code as per
https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb
 Which so far has worked in at least 3 other places without issue (that said 
the barf.in needs to be done manually, the patch does not apply cleanly to that 
file).
I am getting this in the logs:
Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: no useful state 
microcode entry found for incoming packet
Aug 11 17:59:37 rrwall pluto[26346]: "computerisms2rrdc" #1: dropping 
unexpected IKE_AUTH message containing INVALID_IKE_SPI notification; message payloads: N; 
missing payloads: SK
Apart from the github page with the code that uses this text, I get no hits on 
google.  I have read the comment in the code and understand that something is 
messed up, but I am not really clear what this is indicating.  Is it a 
configuration issue?  a portion of the code not properly compiled?  a 
certificate problem?  The remote end is a very slow DSL connection, maybe that 
is part of the problem?  been going through my regular list of things to try, 
but not meeting any success yet.
Any clues on a direction for me to go with this?
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan