Good day, dear community.
Andrew you are right, the problem was in compress, by changing the value to no the errors disappeared from the logs.
Paul is right too. I switched to IKEv2, everything worked for me. But there are nuances, the values of leftsubnet and rightsubnets must be entered manually, IPSec does not automatically receive these values. PSK+XAUT cannot be configured in IKEv2. Authorization only by PSK or certificates. Also, after the ikelifetime time has elapsed, IPSec breaks and does not reconnect. I followed the advice https://github.com/hwdsl2/setup-ipsec-vpn/issues/913 and set ikelifetime=24h, but I think that after 24 hours IPSec will also break and not reconnect.
Below is my current working config:
conn fortinet
authby=secret
pfs=yes
auto=start
rekey=yes
left=%defaultroute
leftid=@<left_id>
leftsubnet=10.0.5.2/32
leftmodecfgclient=yes
right=<public_ip_fortinet>
rightid=<public_ip_fortinet>
rightsubnets=10.0.0.0/24,10.0.1.0/24,10.0.2.0/23,10.0.4.0/24,172.16.0.0/21
rightmodecfgserver=yes
modecfgpull=yes
ignore-peer-dns=yes
send-vendorid=yes
dpddelay=3
dpdtimeout=60
dpdaction=restart
fragmentation=yes
encapsulation=yes
ikev2=yes
ipsec-interface=0
keyexchange=ike
ike=aes256-sha2_256;dh14
phase2=esp
phase2alg=aes256-sha2_256;dh14
salifetime=24h
type=tunnel
ikelifetime=24h
mobike=yes
narrowing=yes
10.05.2023, 20:51, "Andrew Cagney" <[email protected]>:
May 8 19:54:05.721213: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
108 is compression; I'd disable compression in the config.
I filed https://github.com/libreswan/libreswan/issues/1130
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
