Re: [Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk

[António Silva]

 Found a commit that could be the fix for this issue:

https://github.com/libreswan/libreswan/commit/bfd380014944b7efb3fbc181129bd34769993d3f

Trying it now.


--
Saludos / Regards / Cumprimentos
António Silva




> On 13 Oct 2022, at 15:29, António Silva <asi...@wirelessmundi.com> wrote:
> 
> 
> Hi,
> 
> I just update libreswan from version 4.7 to 4.8, but with the newest version 
> I can’t establish a connection whit current configuration, it exit with 
> status 134.
> Just revert to version 4.7 and everything working ok.
> 
> 
> 
> The log when trying to connect:
> 
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding to 
> Main Mode from unknown peer 16.138.17.119:500
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main 
> Mode R1
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main 
> Mode R2
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is 
> ID_IPV4_ADDR: '192.168.1.60'
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to 
> "tunnel8"[2] 16.138.17.119
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting 
> connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
> group=MODP2048}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
> Sending Username/Password request (MAIN_R3->XAUTH_R0)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
> password file authentication method requested to authenticate user 
> 'asilv...@mad.lab <mailto:asilv...@mad.lab>'
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
> password file (/etc/ipsec.d/passwd) open.
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
> success user(asilv...@mad.lab <mailto:asilv...@mad.lab>:(null))
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User 
> asilv...@mad.lab <mailto:asilv...@mad.lab>: Authentication Successful
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
> xauth_inR1(STF_OK)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
> group=MODP2048}
> 
> Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing 
> address pool from 0 to 1
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: 
> modecfg_inR0(STF_OK)
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg 
> reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 
> integ=HMAC_SHA2_256 group=MODP2048}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer 
> proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: |   checking hostpair 0.0.0.0/0 -> 
> 192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding to 
> Quick Mode proposal {msgid:537d8833}
> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2:     us: 
> 0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C]  them: 
> 16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
> Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: 
> pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 
> /programs/pluto/ikev1_quick.c)
> Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!:  exited with 
> error status 134 (signal 6)
> Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...
> 
> 
> 
> Server configuration: 
> conn tunnel8-aggr
>       aggrmode=yes
>       also=tunnel8
> 
> conn tunnel8
>       pfs=no
>       type=tunnel
>       auto=add
>       ikev2=no
>       phase2=esp
>       authby=secret
>       keyingtries=3
>       ikelifetime=24h
>       salifetime=24h
>       left=82.100.227.27
>       leftsubnet=0.0.0.0/0
>       leftid=@xauth.lab <mailto:leftid=@xauth.lab>
>       right=%any
>       rightid=%any
>       rightaddresspool=192.168.20.100-192.168.20.254
>       dpddelay=30
>       dpdtimeout=300
>       dpdaction=clear
>       leftxauthserver=yes
>       rightxauthclient=yes
>       leftmodecfgserver=yes
>       rightmodecfgclient=yes
>       modecfgpull=yes
>       fragmentation=yes
>       xauthby=file
> 
> 
> 
> 
> Cliente configuration (using libreswan 4.5)
> conn tunnel1
>       pfs=no
>       type=tunnel
>       auto=start
>       ikev2=no
>       phase2=esp
>       authby=secret
>       keyingtries=3
>       ikelifetime=8h
>       salifetime=8h
>       left=192.168.1.60
>       leftnexthop=16.138.17.119
>       right=xauth.lab
>       rightsubnet=192.168.20.0/24
>       rightid=@xauth.lab <mailto:rightid=@xauth.lab>
>       dpddelay=30
>       dpdtimeout=300
>       dpdaction=restart
>       leftxauthclient=yes
>       leftmodecfgclient=yes
>       leftusername=asilv...@mad.lab <mailto:leftusername=asilv...@mad.lab>
>       modecfgpull=yes
>       fragmentation=yes
>       ipsec-interface=yes
> 
> 
> Thanks for the help.
> 
> Regards,
> Antonio
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan