Re: [Swan] USE_DH2 Re: Libreswan 4.6: connection IKEv2 win10 to Linux freezes soon after Android device connects

Fri, 14 Jan 2022 12:59:20 -0800 

On Fri, 14 Jan 2022, Mirsad Goran Todorovac wrote:


 whether you compile USE_DH2 in or not should not make a difference,
 unless you are changing the ike= or esp=/phase2alg= line to include
 modp1024 (which you shouldn't).



Experiment proves otherwise. I have made two parallel compiles, USE_DH2=true 
and USE_DH2=false. Then `make install; ipsec restart` from each directory, 
each time attempting to connect L2TP with PSK from Android 11 native client. 
The result is interesting: USE_DH2=false version could not connect, and the 
othe one could.



Proof of the concept is in the logs (as the proverb sayeth "if the goat is 
lying, the horn isnt" :)


[1] https://domac.alu.hr/mtodorov/l2tp-20220114-dh2=true-01.log (connected)


Jan 14 21:26:14.344385: |    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
Jan 14 21:26:14.344392: |    length/value: 2 (00 02)
Jan 14 21:26:14.344401: |    [2 is OAKLEY_GROUP_MODP1024]
Jan 14 21:26:14.344409: | OAKLEY proposal verified unconditionally; no alg_info 
to check against
Jan 14 21:26:14.344417: | Oakley Transform 1 accepted

You accepted modp1024/dh2, but:

v3.19 (January 15, 2017)
[...]
* pluto: drop modp1024 (DH2) from IKEv1 "ike=" default list [Andrew]

So you must have had an ike= line in your config. If you do, then indeed
it would work, but the unmodified config would also fail to load the
connection if it tried to add dh2 to its valid options.


[2] https://domac.alu.hr/mtodorov/l2tp-20220114-nodh2-01.log (unsuccessful)


Jan 14 21:22:05.126170: | ******parse ISAKMP Oakley attribute:
Jan 14 21:22:05.126178: |    af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)
Jan 14 21:22:05.126201: |    length/value: 2 (00 02)
Jan 14 21:22:05.126211: |    [2 is OAKLEY_GROUP_MODP1024]
Jan 14 21:22:05.126225: "L2TP-PSK-NAT"[1] 94.253.210.164 #2: OAKLEY_GROUP 2 not 
supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Your connection however loaded, so it must NOT have specified dh2 in
ike= or it would have failed to load, and with no L2TP-PSK-NAT
connection loaded would get a different error (NO_PROPOSAL_CHOSEN)

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to