António, On Thu, 17 Oct 2024 at 11:29, antonio <[email protected]> wrote: > > Hi Andrew, > > Thanks for the detail info. > > If it helps to reproduce and close the issue, my adicional setup is: > > Debian: 11.11 > Linux kernel: > 5.10.226 > > User in /etc/ipsec.d/passwd: > asilvapt@mad:$6$W27QzNXfRvCY$F.ea5ytgP/sdsdsds::192.168.20.2
Could you run the interop with plutodebug=all and then extract logs between (and including): the peer proposed: 192.168.20.0/24===192.168.20.2/32 cannot respond to IPsec SA request because no connection is known for 192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32 and put that in the bug. > If you need more info, please let me know. > > > — > Saludos / Regards / Cumprimentos > António Silva > > On 17 Oct 2024, at 16:09, Andrew Cagney <[email protected]> wrote: > > 5.1 fixed this bug: > - fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange > [Andrew, Tuomo] > It was exposed in 5.0 (kernel policy was set to 0.0.0.0/0) but 4.x was > also broken (it installed the peer's host address). > > I suspect this is a similar problem. > > > left=82.100.127.28 > right=%any > leftsubnet=0.0.0.0/0 > rightaddresspool=192.168.20.100-192.168.20.254 > > > Here's the start of quick mode. > > Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: the peer > proposed: 192.168.20.0/24===192.168.20.2/32 > Oct 17 10:16:02 sol1 pluto[882496]: | checking hostpair 0.0.0.0/0 -> > 192.168.20.2/32 > > > It's looking for a host-pair matching 0.0.0.0/0 -> 192.168.20.2/32. > That's wrong - 192.168.20.2/32 is not the peer's host address. Yet, > somehow, it stumbled on: > > Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: responding > to Quick Mode proposal {msgid:ba263d12} > Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: us: > 0.0.0.0/0===82.100.127.28[@xauth.mad,MS+XS+S=C] them: > 6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32 > > > However, in 5.1: > > Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer > proposed: 192.168.20.0/24===192.168.20.2/32 > Oct 17 10:15:01 sol1 pluto[855951]: | checking hostpair 0.0.0.0/0 -> > 192.168.20.2/32 > Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot > respond to IPsec SA request because no connection is known for > 192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32 > > > that failed. > > I'd file a bug. > > _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
