> Then the client should not use its IP address as IKE ID, but use the
> certificate DN.
Not really understood. Is this what the client cert has as SAN or what is in
the cert "subject"?
> So that looks like the strongswan bug doing SHA1 for RFC7427 connections that
> RFC 8472 says should never use SHA1 and which libreswan didn’t advertise 😕
Will address this later...
>
>> But still not a single nat-t keepalive from the server...
>
> That is very strange.....
I see the state changes:
Mar 12 23:41:45 core pluto[7216]: "xauth-rsa"[4] 178.197.235.21 #4:
STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x42150261
<0x5641a65b xfrm=AES_GCM_16_256-NONE NATOA=none NATD=178.197.235.21:51702
DPD=active}
Mar 12 23:41:45 core pluto[7216]: | dpd enabled, scheduling ikev2 liveness
checks
Mar 12 23:41:45 core pluto[7216]: | processing: stop state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in schedule_event_now_cb()
at server.c:561)
Mar 12 23:42:45 core pluto[7216]: | processing: start state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:316)
Mar 12 23:42:45 core pluto[7216]: | processing: [RE]START state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at
timer.c:112)
Mar 12 23:42:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is
ok schedule new
Mar 12 23:42:45 core pluto[7216]: | processing: stop state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:657)
Mar 12 23:43:08 core pluto[7216]: | processing: start state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at
state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: stop state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at
state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: start state #3 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at
state.c:1600)
Mar 12 23:43:08 core pluto[7216]: | processing: stop state #3 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in for_each_state() at
state.c:1600)
Mar 12 23:43:45 core pluto[7216]: | processing: start state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:316)
Mar 12 23:43:45 core pluto[7216]: | processing: [RE]START state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at
timer.c:112)
Mar 12 23:43:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is
ok schedule new
Mar 12 23:43:45 core pluto[7216]: | processing: stop state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:657)
Mar 12 23:44:45 core pluto[7216]: | processing: start state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:316)
Mar 12 23:44:45 core pluto[7216]: | processing: [RE]START state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in liveness_check() at
timer.c:112)
Mar 12 23:44:45 core pluto[7216]: | #4 liveness_check - peer 178.197.235.21 is
ok schedule new
Mar 12 23:44:45 core pluto[7216]: | processing: stop state #4 connection
"xauth-rsa"[4] 178.197.235.21 178.197.235.21:51702 (in timer_event_cb() at
timer.c:657)
shall I add some debug code somewhere?
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
