Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.
west01: root@west01:~# grep foo /etc/hosts 169.254.6.1 foo.bar.org root@west01:~# cat /etc/ipsec.conf # LP: #1734207 conn lp-base authby=psk keyexchange=ikev1 mobike=no type=transport left=169.254.6.2 conn lp-east01 also=lp-base right=foo.bar.org [email protected] auto=add conn lp-rw also=lp-base right=%any auto=add root@west01:~# cat /etc/ipsec.secrets 169.254.6.2 @foo.bar.org : PSK "PSK-EAST01" %any : PSK "PSK-RW" east01: root@east01:~# cat /etc/ipsec.conf # LP: #1734207 conn lp-east01 authby=psk keyexchange=ikev1 mobike=no type=transport left=169.254.6.2 right=foo.bar.org [email protected] auto=start root@east01:~# cat /etc/ipsec.secrets %any : PSK "PSK-EAST01" When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect: root@east01:~# service strongswan restart root@east01:~# journalctl -fu strongswan | grep -m1 malformed Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects: Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2. west01: root@west01:~# grep foo /etc/hosts 169.254.6.1 foo.bar.org root@west01:~# cat /etc/ipsec.conf # LP: #1734207 conn lp-base authby=psk keyexchange=ikev1 mobike=no type=transport left=169.254.6.2 conn lp-east01 also=lp-base right=foo.bar.org [email protected] auto=add conn lp-rw also=lp-base right=%any auto=add root@west01:~# cat /etc/ipsec.secrets 169.254.6.2 @foo.bar.org : PSK "PSK-EAST01" %any : PSK "PSK-RW" east01: root@east01:~# cat /etc/ipsec.conf # LP: #1734207 conn lp-east01 authby=psk keyexchange=ikev1 mobike=no type=transport left=169.254.6.2 right=foo.bar.org [email protected] auto=start root@east01:~# cat /etc/ipsec.secrets %any : PSK "PSK-EAST01" When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect: root@east01:~# service strongswan restart root@east01:~# journalctl -fu strongswan | grep -m1 malformed Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects: root@east01:~# service strongswan restart root@east01:~# journalctl -u strongswan | tail Dec 20 18:14:36 east01 charon[2543]: 06[IKE] scheduling reauthentication in 9973s Dec 20 18:14:36 east01 charon[2543]: 06[IKE] maximum IKE_SA lifetime 10513s Dec 20 18:14:36 east01 charon[2543]: 06[ENC] generating QUICK_MODE request 2756199350 [ HASH SA No ID ID ] Dec 20 18:14:36 east01 charon[2543]: 06[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (220 bytes) Dec 20 18:14:36 east01 charon[2543]: 05[NET] received packet: from 169.254.6.2[500] to 169.254.6.1[500] (172 bytes) Dec 20 18:14:36 east01 charon[2543]: 05[ENC] parsed QUICK_MODE response 2756199350 [ HASH SA No ID ID ] Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32 Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32 Dec 20 18:14:36 east01 charon[2543]: 05[ENC] generating QUICK_MODE request 2756199350 [ HASH ] Dec 20 18:14:36 east01 charon[2543]: 05[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (60 bytes) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1734207 Title: Multiple PSKs with dyndns left/rightids doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1734207/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
