Re: [Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk

Fri, 14 Oct 2022 00:06:51 -0700 

Thanks Paul!

--
Saludos / Regards / Cumprimentos
António Silva




> On 13 Oct 2022, at 22:07, Paul Wouters <[email protected]> wrote:
> 
> We will release 4.9 to address this regression in the next day or so
> 
> Sent using a virtual keyboard on a phone
> 
>> On Oct 13, 2022, at 10:29, António Silva <[email protected]> wrote:
>> 
>> 
>> 
>> Hi,
>> 
>> I just update libreswan from version 4.7 to 4.8, but with the newest version 
>> I can’t establish a connection whit current configuration, it exit with 
>> status 134.
>> Just revert to version 4.7 and everything working ok.
>> 
>> 
>> 
>> The log when trying to connect:
>> 
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding 
>> to Main Mode from unknown peer 16.138.17.119:500
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main 
>> Mode R1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main 
>> Mode R2
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is 
>> ID_IPV4_ADDR: '192.168.1.60'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to 
>> "tunnel8"[2] 16.138.17.119
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting 
>> connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
>> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
>> group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
>> Sending Username/Password request (MAIN_R3->XAUTH_R0)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
>> password file authentication method requested to authenticate user 
>> '[email protected] <mailto:[email protected]>'
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
>> password file (/etc/ipsec.d/passwd) open.
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
>> success user([email protected] <mailto:[email protected]>:(null))
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User 
>> [email protected] <mailto:[email protected]>: Authentication Successful
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
>> xauth_inR1(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
>> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
>> group=MODP2048}
>> 
>> Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing 
>> address pool from 0 to 1
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: 
>> modecfg_inR0(STF_OK)
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg 
>> reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 
>> integ=HMAC_SHA2_256 group=MODP2048}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer 
>> proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: |   checking hostpair 0.0.0.0/0 -> 
>> 192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding 
>> to Quick Mode proposal {msgid:537d8833}
>> Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2:     us: 
>> 0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C]  them: 
>> 16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
>> Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: 
>> pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 
>> /programs/pluto/ikev1_quick.c)
>> Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!:  exited with 
>> error status 134 (signal 6)
>> Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...
>> 
>> 
>> 
>> Server configuration: 
>> conn tunnel8-aggr
>>      aggrmode=yes
>>      also=tunnel8
>> 
>> conn tunnel8
>>      pfs=no
>>      type=tunnel
>>      auto=add
>>      ikev2=no
>>      phase2=esp
>>      authby=secret
>>      keyingtries=3
>>      ikelifetime=24h
>>      salifetime=24h
>>      left=82.100.227.27
>>      leftsubnet=0.0.0.0/0
>>      [email protected] <mailto:[email protected]>
>>      right=%any
>>      rightid=%any
>>      rightaddresspool=192.168.20.100-192.168.20.254
>>      dpddelay=30
>>      dpdtimeout=300
>>      dpdaction=clear
>>      leftxauthserver=yes
>>      rightxauthclient=yes
>>      leftmodecfgserver=yes
>>      rightmodecfgclient=yes
>>      modecfgpull=yes
>>      fragmentation=yes
>>      xauthby=file
>> 
>> 
>> 
>> 
>> Cliente configuration (using libreswan 4.5)
>> conn tunnel1
>>      pfs=no
>>      type=tunnel
>>      auto=start
>>      ikev2=no
>>      phase2=esp
>>      authby=secret
>>      keyingtries=3
>>      ikelifetime=8h
>>      salifetime=8h
>>      left=192.168.1.60
>>      leftnexthop=16.138.17.119
>>      right=xauth.lab
>>      rightsubnet=192.168.20.0/24
>>      [email protected] <mailto:[email protected]>
>>      dpddelay=30
>>      dpdtimeout=300
>>      dpdaction=restart
>>      leftxauthclient=yes
>>      leftmodecfgclient=yes
>>      [email protected] <mailto:[email protected]>
>>      modecfgpull=yes
>>      fragmentation=yes
>>      ipsec-interface=yes
>> 
>> 
>> Thanks for the help.
>> 
>> Regards,
>> Antonio
>> 
>> 
>> 
>> _______________________________________________
>> Swan mailing list
>> [email protected]
>> https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to