Hi,
be grateful
for some help!
Trying to
figure out what is going on with my Libre installation.
I keep getting
the subject errors and the VPN pauses for several seconds as it
renegotiates.
This occurs on
3 different installs that I have. All use the same certs from
the same CA built via a template to reduce the chances of me
making a mess of it ;-)
Almost
certainly a misconfiguration, probably in the certs, but not sure
which bit.
B. Rgds
John
Libreswan 4.12
built from github source on CentOS 7
Connecting to
a Mikrotik Router with RouterOS 6
Errors:
INFORMATIONAL
response has no corresponding IKE SA; message dropped
IKE SA
authentication request rejected by peer: INVALID_SYNTAX
conn
TestToHomeMain
type=tunnel
leftcert="Test_Server"
rightcert="Mikrotik_Router"
auto=add
ikev2=insist
ike=aes256-sha2;dh16
esp=aes256-sha2
encapsulation=no
keyingtries=%forever
ikelifetime=3600s
salifetime=28800s
dpdaction=restart
dpddelay=30
retransmit-timeout=10
pfs=yes
left=%defaultroute
leftid=%fromcert
leftsourceip=192.168.97.1
leftsubnet=192.168.97.0/24
right=my.home.ip.addr
rightid=%fromcert
rightsubnet=192.168.10.0/24
reauth=yes
The Mikrotik
just shows this error:
payload
missing: SA
Libreswan log:
Feb 19
11:47:50.144703: loading secrets from "/etc/ipsec.secrets"
Feb 19 11:47:50.144781: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Feb 19 11:47:54.203972: "TestToHomeMain" #1: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 11:47:54.210021: "TestToHomeMain" #1: sent IKE_SA_INIT
reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP4096}
Feb 19 11:47:58.047830: "TestToHomeMain" #1: processing
decrypted IKE_AUTH request:
SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 11:47:58.053351: "TestToHomeMain" #1: reloaded private
key matching left certificate 'Test_Server'
Feb 19 11:47:58.053702: "TestToHomeMain" #1: responder
established IKE SA; authenticated peer '4096-bit PKCS#1 1.5 RSA
with SHA1' signature using peer certificate 'C=Xx, ST=State,
L=Town, O=Company, OU=IT, CN=Mikrotik_Router,
[email protected]' issued by CA 'C=Xx, ST=State, L=Town,
O=Company, OU=IT, CN=CA_Company, [email protected]'
Feb 19 11:47:58.081239: "TestToHomeMain" #2: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=0d60ffc8 chosen
from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 11:47:58.128809: "TestToHomeMain" #2: responder
established Child SA using #1; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0d60ffc8
<0xd92d3260 xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 11:47:58.129292: netlink_expire got message with length
68 < 232 bytes; ignore message
Feb 19 12:02:58.861473: "TestToHomeMain" #1:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
seconds for response
Feb 19 12:02:59.361763: "TestToHomeMain" #1:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds
for response
Feb 19 12:03:00.362203: "TestToHomeMain" #1:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds
for response
Feb 19 12:12:17.214206: "TestToHomeMain" #3: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED
SPI=0981498e chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 12:12:17.222022: "TestToHomeMain" #3: responder rekeyed
Child SA #2 using #1; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0981498e
<0x06caca24 xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096
DPD=active}
Feb 19 12:12:29.242019: "TestToHomeMain" #2: ESP traffic
information: in=0B out=0B
Feb 19 12:36:39.311720: "TestToHomeMain" #4: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED
SPI=015d5fdf chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 12:36:39.319453: "TestToHomeMain" #4: responder rekeyed
Child SA #3 using #1; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x015d5fdf
<0xd995cc03 xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096
DPD=active}
Feb 19 12:36:45.411744: "TestToHomeMain" #3: ESP traffic
information: in=0B out=0B
Feb 19 12:47:58.090049: "TestToHomeMain" #1: initiate
reauthentication of IKE SA
Feb 19 12:47:58.090269: "TestToHomeMain" #5: initiating IKEv2
connection to replace established IKE SA #1
Feb 19 12:47:58.091242: "TestToHomeMain" #1: IKE SA expired
(LATEST!)
Feb 19 12:47:58.091281: "TestToHomeMain" #4: ESP traffic
information: in=0B out=0B
Feb 19 12:47:58.102162: "TestToHomeMain" #1: deleting state
(STATE_V2_ESTABLISHED_IKE_SA) aged 3603.898215s and sending
notification
Feb 19 12:47:58.102682: "TestToHomeMain" #5: sent IKE_SA_INIT
request to my.home.ip.addr:500
Feb 19 12:47:58.137858: packet from my.home.ip.addr:4500:
INFORMATIONAL response has no corresponding IKE SA; message
dropped
Feb 19 12:47:58.603416: "TestToHomeMain" #5: STATE_V2_PARENT_I1:
retransmission; will wait 0.5 seconds for response
Feb 19 12:47:59.104080: "TestToHomeMain" #5: STATE_V2_PARENT_I1:
retransmission; will wait 1 seconds for response
Feb 19 12:48:00.105285: "TestToHomeMain" #5: STATE_V2_PARENT_I1:
retransmission; will wait 2 seconds for response
Feb 19 12:48:02.107516: "TestToHomeMain" #5: STATE_V2_PARENT_I1:
retransmission; will wait 4 seconds for response
Feb 19 12:48:04.216662: "TestToHomeMain" #5: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 12:48:04.218295: "TestToHomeMain" #5: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 12:48:04.218399: "TestToHomeMain" #5: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 12:48:04.219154: "TestToHomeMain" #5: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 12:48:04.228016: "TestToHomeMain" #5: omitting CHILD SA
payloads
Feb 19 12:48:04.228273: "TestToHomeMain" #5: sent IKE_AUTH
request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP4096}
Feb 19 12:48:04.308634: "TestToHomeMain" #5: IKE SA
authentication request rejected by peer: INVALID_SYNTAX
Feb 19 12:48:04.308686: "TestToHomeMain" #5: encountered fatal
error in state STATE_V2_PARENT_I2
Feb 19 12:48:04.308697: "TestToHomeMain" #5: deleting state
(STATE_V2_PARENT_I2) aged 6.218559s and NOT sending notification
Feb 19 12:48:07.662370: "TestToHomeMain" #6: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 12:48:07.667879: "TestToHomeMain" #6: sent IKE_SA_INIT
reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP4096}
Feb 19 12:48:11.654302: "TestToHomeMain" #6: processing
decrypted IKE_AUTH request:
SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 12:48:11.657299: "TestToHomeMain" #6: responder
established IKE SA; authenticated peer '4096-bit PKCS#1 1.5 RSA
with SHA1' signature using peer certificate 'C=Xx, ST=State,
L=Town, O=Company, OU=IT, CN=Mikrotik_Router,
[email protected]' issued by CA 'C=Xx, ST=State, L=Town,
O=Company, OU=IT, CN=CA_Company, [email protected]'
Feb 19 12:48:11.674011: "TestToHomeMain" #7: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=08869ac9 chosen
from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 12:48:11.686870: "TestToHomeMain" #7: responder
established Child SA using #6; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x08869ac9
<0x1a9a0654 xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 12:59:42.327811: "TestToHomeMain" #6:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
seconds for response
Feb 19 13:03:12.372786: "TestToHomeMain" #6:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
seconds for response
Feb 19 13:03:12.873462: "TestToHomeMain" #6:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 1 seconds
for response
Feb 19 13:03:13.874602: "TestToHomeMain" #6:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 2 seconds
for response
Feb 19 13:12:33.743349: "TestToHomeMain" #8: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED
SPI=00268b22 chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 13:12:33.751055: "TestToHomeMain" #8: responder rekeyed
Child SA #7 using #6; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x00268b22
<0xaf6d25af xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096
DPD=active}
Feb 19 13:12:39.743171: "TestToHomeMain" #7: ESP traffic
information: in=0B out=0B
Feb 19 13:24:10.455925: "TestToHomeMain" #6:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
seconds for response
Feb 19 13:36:58.743539: "TestToHomeMain" #9: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED
SPI=0a14e80a chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 13:36:58.751699: "TestToHomeMain" #9: responder rekeyed
Child SA #8 using #6; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x0a14e80a
<0x449c4b7f xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096
DPD=active}
Feb 19 13:37:01.730555: "TestToHomeMain" #8: ESP traffic
information: in=0B out=0B
Feb 19 13:44:34.281255: packet from 162.243.132.48:43105:
initial Main Mode message received but no connection has been
authorized with authby=PSK and xauth=no
Feb 19 13:48:11.676247: "TestToHomeMain" #6: initiate
reauthentication of IKE SA
Feb 19 13:48:11.676354: "TestToHomeMain" #10: initiating IKEv2
connection to replace established IKE SA #6
Feb 19 13:48:11.677214: "TestToHomeMain" #6: IKE SA expired
(LATEST!)
Feb 19 13:48:11.677275: "TestToHomeMain" #9: ESP traffic
information: in=0B out=0B
Feb 19 13:48:11.687904: "TestToHomeMain" #6: deleting state
(STATE_V2_ESTABLISHED_IKE_SA) aged 3604.02555s and sending
notification
Feb 19 13:48:11.688291: "TestToHomeMain" #10: sent IKE_SA_INIT
request to my.home.ip.addr:500
Feb 19 13:48:11.723318: packet from my.home.ip.addr:4500:
INFORMATIONAL response has no corresponding IKE SA; message
dropped
Feb 19 13:48:12.188950: "TestToHomeMain" #10:
STATE_V2_PARENT_I1: retransmission; will wait 0.5 seconds for
response
Feb 19 13:48:12.689198: "TestToHomeMain" #10:
STATE_V2_PARENT_I1: retransmission; will wait 1 seconds for
response
Feb 19 13:48:13.690434: "TestToHomeMain" #10:
STATE_V2_PARENT_I1: retransmission; will wait 2 seconds for
response
Feb 19 13:48:15.692626: "TestToHomeMain" #10:
STATE_V2_PARENT_I1: retransmission; will wait 4 seconds for
response
Feb 19 13:48:17.588722: "TestToHomeMain" #10: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 13:48:17.590321: "TestToHomeMain" #10: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 13:48:17.590472: "TestToHomeMain" #10: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 13:48:17.591205: "TestToHomeMain" #10: discarding packet
received during asynchronous work (DNS or crypto) in
STATE_V2_PARENT_I1
Feb 19 13:48:17.602017: "TestToHomeMain" #10: omitting CHILD SA
payloads
Feb 19 13:48:17.602256: "TestToHomeMain" #10: sent IKE_AUTH
request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP4096}
Feb 19 13:48:17.682241: "TestToHomeMain" #10: IKE SA
authentication request rejected by peer: INVALID_SYNTAX
Feb 19 13:48:17.682280: "TestToHomeMain" #10: encountered fatal
error in state STATE_V2_PARENT_I2
Feb 19 13:48:17.682290: "TestToHomeMain" #10: deleting state
(STATE_V2_PARENT_I2) aged 6.005973s and NOT sending notification
Feb 19 13:48:21.184062: "TestToHomeMain" #11: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP4096
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096[first-match]
Feb 19 13:48:21.189812: "TestToHomeMain" #11: sent IKE_SA_INIT
reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP4096}
Feb 19 13:48:25.035144: "TestToHomeMain" #11: processing
decrypted IKE_AUTH request:
SK{IDi,AUTH,CERT,N(INITIAL_CONTACT),SA,TSi,TSr}
Feb 19 13:48:25.037223: "TestToHomeMain" #11: responder
established IKE SA; authenticated peer '4096-bit PKCS#1 1.5 RSA
with SHA1' signature using peer certificate 'C=Xx, ST=State,
L=Town, O=Company, OU=IT, CN=Mikrotik_Router,
[email protected]' issued by CA 'C=Xx, ST=State, L=Town,
O=Company, OU=IT, CN=CA_Company, [email protected]'
Feb 19 13:48:25.052800: "TestToHomeMain" #12: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-DISABLED SPI=068ef734 chosen
from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
Feb 19 13:48:25.066477: "TestToHomeMain" #12: responder
established Child SA using #11; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x068ef734
<0xe0388687 xfrm=AES_CBC_256-HMAC_SHA2_256_128 DPD=active}
Feb 19 14:09:25.911176: "TestToHomeMain" #11:
STATE_V2_ESTABLISHED_IKE_SA: retransmission; will wait 0.5
seconds for response
Feb 19 14:12:37.145710: "TestToHomeMain" #13: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_256_128-MODP4096-DISABLED
SPI=01dc22ca chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=MODP4096;ESN=DISABLED[first-match]
Feb 19 14:12:37.153530: "TestToHomeMain" #13: responder rekeyed
Child SA #12 using #11; IPsec tunnel
[192.168.97.0-192.168.97.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0] {ESP=>0x01dc22ca
<0xde7f60d4 xfrm=AES_CBC_256-HMAC_SHA2_256_128-MODP4096
DPD=active}
Feb 19 14:12:49.122665: "TestToHomeMain" #12: ESP traffic
information: in=0B out=0B
_______________________________________________Swan mailing list[email protected]https://lists.libreswan.org/mailman/listinfo/swan