Re: [Swan] Possible to setup multiple connections, partly behind NAT?

Phil Nightowl via Swan Tue, 13 Feb 2024 06:37:57 -0800

Hello again!

Thanks for all information regarding x509 and appropriate matching 
within DNs.


Meanwile, after adjusting the configs in order to remove opportunistic 
encryption, I tried to take the next step and get the connection with 
remotehost1.privlan to work.

As of now, I have failed. In more detail, this means that

- the connections on 192.168.1.0/24 work as they have before, although 
without opportunistic encryption;

- attempts to connect from remotehost1.privlan to server.privlan fail.

To summarize briefly:

remotehost1.privlan has 10.0.1.138, sitting behind a public 203.0.113.55; 
its config is

conn headq
    left=%defaultroute
    leftcert=remotehost1
    leftid=%fromcert
    right=198.51.100.33
    rightid=%fromcert
    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0
    ikev2=insist
    auto=start
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    pfs=yes
    aggressive=no
    salifetime=1h
    negotiationshunt=hold
    failureshunt=drop
    rightca=%same

(plus a ssh-passthrough conn)

When attempting to connect, the logfile says:
==============================
systemd[1]: Starting ipsec.service - Internet Key Exchange (IKE) Protocol 
Daemon for IPsec...
ipsec[3507]: nflog ipsec capture disabled
pluto[3521]: Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
pluto[3521]: FIPS Mode: NO
pluto[3521]: NSS crypto library initialized
pluto[3521]: FIPS mode disabled for pluto daemon
pluto[3521]: FIPS HMAC integrity support [disabled]
pluto[3521]: libcap-ng support [enabled]
pluto[3521]: Linux audit support [enabled]
pluto[3521]: Linux audit activated
pluto[3521]: Starting Pluto (Libreswan Version 4.3 IKEv2 IKEv1 XFRM(netkey) 
XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) 
DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM 
NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:3521
pluto[3521]: core dump dir: /run/pluto
pluto[3521]: secrets file: /etc/ipsec.secrets
pluto[3521]: leak-detective enabled
pluto[3521]: NSS crypto [enabled]
pluto[3521]: XAUTH PAM support [enabled]
pluto[3521]: initializing libevent in pthreads mode: headers: 2.1.12-stable 
(2010c00); library: 2.1.12-stable (2010c00)
pluto[3521]: NAT-Traversal support  [enabled]
pluto[3521]: Encryption algorithms:

<...>

pluto[3521]: testing HMAC_MD5:
pluto[3521]:   RFC 2104: MD5_HMAC test 1
pluto[3521]:   RFC 2104: MD5_HMAC test 2
systemd[1]: Started ipsec.service - Internet Key Exchange (IKE) Protocol Daemon 
for IPsec.
pluto[3521]:   RFC 2104: MD5_HMAC test 3
pluto[3521]: 2 CPU cores online
pluto[3521]: starting up 2 helper threads
pluto[3521]: started thread for helper 0
pluto[3521]: started thread for helper 1
pluto[3521]: using Linux xfrm kernel support code on #1 SMP PREEMPT_DYNAMIC 
Debian 6.1.55-1~bpo11+1 (2023-10-08)
pluto[3521]: seccomp security for helper not supported
pluto[3521]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 
holes
pluto[3521]: seccomp security for helper not supported
pluto[3521]: selinux support is NOT enabled.
pluto[3521]: systemd watchdog for ipsec service configured with timeout of 
200000000 usecs
pluto[3521]: watchdog: sending probes every 100 secs
pluto[3521]: seccomp security not supported
pluto[3521]: "headq": loaded private key matching left certificate 'remotehost1'
pluto[3521]: "headq": added IKEv2 connection
pluto[3521]: "headq-ssh-pass": failed to add connection: shunt connection 
cannot have authentication method other then authby=never
pluto[3521]: listening for IKE messages
pluto[3521]: Kernel supports NIC esp-hw-offload
pluto[3521]: adding UDP interface enp2s0 10.0.1.138:500
pluto[3521]: adding UDP interface enp2s0 10.0.1.138:4500
pluto[3521]: adding UDP interface lo 127.0.0.1:500
pluto[3521]: adding UDP interface lo 127.0.0.1:4500
pluto[3521]: forgetting secrets
pluto[3521]: loading secrets from "/etc/ipsec.secrets"
pluto[3521]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[3521]: "headq" #1: initiating IKEv2 connection
pluto[3521]: "headq": local IKE proposals (IKE SA initiator selecting KE):
pluto[3521]: "headq":   
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq":   
2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq":   
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq":   
4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[3521]: "headq" #1: sent IKE_SA_INIT request
pluto[3521]: "headq" #1: reloaded private key matching left certificate 
'remotehost1'
pluto[3521]: "headq": local ESP/AH proposals (IKE SA initiator emitting ESP/AH 
proposals):
pluto[3521]: "headq":   1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED
pluto[3521]: "headq":   2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED
pluto[3521]: "headq":   
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
pluto[3521]: "headq":   
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED
pluto[3521]: "headq" #1: sent IKE_AUTH request {auth=IKEv2 
cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 0.5 seconds 
for response
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 1 seconds 
for response
pluto[3521]: "headq" #2: STATE_PARENT_I2: retransmission; will wait 2 seconds 
for response
pluto[3521]: "headq" #2: dropping unexpected IKE_AUTH message containing 
TS_UNACCEPTABLE notification; message payloads: SKF; encrypted payloads: 
IDr,CERT,AUTH,N; unexpected payloads: IDr,CERT,AUTH
pluto[3521]: "headq" #2: encountered fatal error in state STATE_PARENT_I2
pluto[3521]: "headq" #2: deleting state (STATE_PARENT_I2) aged 2.45823s and NOT 
sending notification
systemd[1]: Stopping ipsec.service - Internet Key Exchange (IKE) Protocol 
Daemon for IPsec...
pluto[3521]: shutting down
pluto[3521]: "headq" #1: deleting state (STATE_PARENT_I2) aged 26.561805s and 
NOT sending notification
whack[3580]: 002 shutting down
pluto[3521]: forgetting secrets
pluto[3521]: shutting down interface lo 127.0.0.1:4500
pluto[3521]: shutting down interface lo 127.0.0.1:500
pluto[3521]: shutting down interface enp2s0 10.0.1.138:4500
pluto[3521]: shutting down interface enp2s0 10.0.1.138:500
pluto[3521]: leak detective found no leaks
systemd[1]: ipsec.service: Deactivated successfully.
systemd[1]: Stopped ipsec.service - Internet Key Exchange (IKE) Protocol Daemon 
for IPsec.
systemd[1]: ipsec.service: Consumed 1.591s CPU time.
==============================

Here´s the responder side:

server.privlan has 192.168.1.253, sitting behind 198.51.100.33, and a config 
of

conn privlan
     left=%defaultroute
     right=%any
     auto=ondemand
     authby=rsasig
     ikev2=insist
     leftid=%fromcert
     rightid=%fromcert
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     leftcert=server
     leftsendcert=always
     rightsendcert=always
     rightca=%same
     pfs=yes
     aggressive=no
     salifetime=1h
     negotiationshunt=hold
     failureshunt=drop

conn remotesite
     left=%defaultroute
     right=203.0.113.55
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     auto=add
     ikev2=yes
     authby=rsasig
     leftid=%fromcert
     rightid=%fromcert
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     leftcert=server
     pfs=yes
     aggressive=no
     salifetime=1h
     negotiationshunt=hold
     failureshunt=drop
     rekey=no

(plus the usual ssh-passthrough)

On this end, the connection attempt yields:
==============================
systemd[1]: Starting ipsec.service - Internet Key Exchange (IKE) Protocol 
Daemon for IPsec...
ipsec[22707]: nflog ipsec capture disabled
pluto[22719]: Initializing NSS using read-write database 
"sql:/var/lib/ipsec/nss"
pluto[22719]: FIPS Mode: NO
pluto[22719]: NSS crypto library initialized
pluto[22719]: FIPS mode disabled for pluto daemon
pluto[22719]: FIPS HMAC integrity support [disabled]
pluto[22719]: libcap-ng support [enabled]
pluto[22719]: Linux audit support [enabled]
pluto[22719]: Linux audit activated
pluto[22719]: Starting Pluto (Libreswan Version 4.10 IKEv2 IKEv1 XFRM XFRMI 
esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) DNSSEC 
SYSTEMD_WATCHDOG LABELED_IPSEC (SELINUX) LIBCAP_NG LINUX_AUDIT AUTH_PAM 
NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:22719
pluto[22719]: core dump dir: /run/pluto
pluto[22719]: secrets file: /etc/ipsec.secrets
pluto[22719]: leak-detective enabled
pluto[22719]: NSS crypto [enabled]
pluto[22719]: XAUTH PAM support [enabled]
pluto[22719]: initializing libevent in pthreads mode: headers: 2.1.12-stable 
(2010c00); library: 2.1.12-stable (2010c00)
pluto[22719]: NAT-Traversal support  [enabled]
pluto[22719]: Encryption algorithms:
pluto[22719]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     
ESP     FIPS              aes_ccm, aes_ccm_c

<...>

pluto[22719]: testing HMAC_SHA1:
pluto[22719]:   CAVP: IKEv2 key derivation with HMAC-SHA1
systemd[1]: Started ipsec.service - Internet Key Exchange (IKE) Protocol Daemon 
for IPsec.
pluto[22719]: 2 CPU cores online
pluto[22719]: starting up 2 helper threads
pluto[22719]: started thread for helper 0
pluto[22719]: started thread for helper 1
pluto[22719]: using Linux xfrm kernel support code on #1 SMP Debian 
6.5.10-1~bpo12+1 (2023-11-23)
pluto[22719]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 
holes
pluto[22719]: selinux support is NOT enabled.
pluto[22719]: systemd watchdog for ipsec service configured with timeout of 
200000000 usecs
pluto[22719]: watchdog: sending probes every 100 secs
pluto[22719]: helper(2) seccomp security for helper not supported
pluto[22719]: helper(1) seccomp security for helper not supported
pluto[22719]: seccomp security not supported
pluto[22719]: "privlan-ssh": added passthrough connection
pluto[22719]: "privlan": IKE SA proposals (connection add):
pluto[22719]: "privlan":   
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan":   
2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan":   
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan":   
4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "privlan": Child SA proposals (connection add):
pluto[22719]: "privlan":   1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "privlan":   2:ESP=AES_GCM_C_128-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "privlan":   
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "privlan":   
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "privlan": loaded private key matching left certificate 'server'
pluto[22719]: "privlan": added IKEv2 connection
pluto[22719]: "remotesite": IKE SA proposals (connection add):
pluto[22719]: "remotesite":   
1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite":   
2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite":   
3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite":   
4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
pluto[22719]: "remotesite": Child SA proposals (connection add):
pluto[22719]: "remotesite":   1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite":   2:ESP=AES_GCM_C_128-NONE-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite":   
3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite":   
4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[22719]: "remotesite": added IKEv2 connection
pluto[22719]: "remotesite-ssh": added passthrough connection
pluto[22719]: listening for IKE messages
pluto[22719]: Kernel supports NIC esp-hw-offload
pluto[22719]: adding UDP interface eth2 192.168.1.254:500
pluto[22719]: adding UDP interface eth2 192.168.1.254:4500
pluto[22719]: adding UDP interface lo 127.0.0.1:500
pluto[22719]: adding UDP interface lo 127.0.0.1:4500
pluto[22719]: forgetting secrets
pluto[22719]: loading secrets from "/etc/ipsec.secrets"
pluto[22719]: no secrets filename matched "/etc/ipsec.d/*.secrets"
pluto[22719]: "privlan": cannot route template policy of 
IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP
pluto[22719]: EXPECTATION FAILED: peer_client->ipproto == 
transport_proto->ipproto (bare_shunt_ptr() +1395 /programs/pluto/kernel.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto 
(raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == 
client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto 
(raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == 
client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: "remotesite" #1: proposal 
1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
 
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
pluto[22719]: "remotesite" #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 
integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
pluto[22719]: "remotesite" #1: processing decrypted IKE_AUTH request: 
SK{IDi,CERT,CERTREQ,AUTH,SA,TSi,TSr}
pluto[22719]: "remotesite" #1: reloaded private key matching left certificate 
'server'
pluto[22719]: "remotesite" #1: switched to "privlan"[1] 203.0.113.55
pluto[22719]: "privlan"[1] 203.0.113.55 #1: responder established IKE SA; 
authenticated peer '8192-bit RSASSA-PSS with SHA2_512' digital signature using 
peer certificate 'C=XX, O=MyOrg, CN=remotehost1.privlan' issued by CA 'CN=MyOrg 
CA'
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
pluto[22719]: "privlan"[1] 203.0.113.55 #1: discarding packet received during 
asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
systemd[1]: Stopping ipsec.service - Internet Key Exchange (IKE) Protocol 
Daemon for IPsec...
whack[22761]: 002 shutting down
pluto[22719]: shutting down
pluto[22719]: Pluto is shutting down
pluto[22719]: "privlan"[1] 203.0.113.55: deleting connection instance with peer 
203.0.113.55 {isakmp=#1/ipsec=#0}
pluto[22719]: "privlan"[1] 203.0.113.55 #1: deleting state 
(STATE_V2_ESTABLISHED_IKE_SA) aged 183.302839s and sending notification
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto 
(raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == 
client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: EXPECTATION FAILED: src_client_proto == dst_client_proto 
(raw_policy() +126 /programs/pluto/kernel_ops.c)
pluto[22719]: EXPECTATION FAILED: selector_protocol(*dst_client) == 
client_proto (xfrm_raw_policy() +536 /programs/pluto/kernel_xfrm.c)
pluto[22719]: "remotesite-ssh": kernel: xfrm XFRM_MSG_DELPOLICY for flow 
%discard(discard) (in) encountered unexpected policy
pluto[22719]: "privlan-ssh": kernel: xfrm XFRM_MSG_DELPOLICY for flow 
%discard(discard) (in) encountered unexpected policy
pluto[22719]: forgetting secrets
pluto[22719]: shutting down interface lo 127.0.0.1:4500
pluto[22719]: shutting down interface lo 127.0.0.1:500
pluto[22719]: shutting down interface eth2 192.168.1.254:4500
pluto[22719]: shutting down interface eth2 192.168.1.254:500
pluto[22719]: leak detective found no leaks
systemd[1]: ipsec.service: Deactivated successfully.
systemd[1]: Stopped ipsec.service - Internet Key Exchange (IKE) Protocol Daemon 
for IPsec.
systemd[1]: ipsec.service: Consumed 3.557s CPU time.
==============================

Any ideas about what to adjust and how? To me, it appears that the point 
of failure is currently on the responders side: pluto starts receiving 
ike messages from remotehost1.privlan and selects the conn "remotesite" 
(which is correct), but shortly thereafter switches to the conn 
"privlan". Unfortunately, I have no idea why it does that and how to 
make it to stick to the "remotesite" conn that it had selected at the 
beginning.

Many thanks,

Phil
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Possible to setup multiple connections, partly behind NAT?

Reply via email to