Your message dated Fri, 22 Aug 2025 09:21:20 +0000
with message-id <[email protected]>
and subject line Bug#1109942: fixed in strongswan 6.0.2-1
has caused the Debian Bug report #1109942,
regarding strongswan-charon: upgrade to 6.0.1-6 causes "key derivation failed"
error with older versions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109942: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109942
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: strongswan-charon
Version: 6.0.1-6
Severity: important
Hello!
One of our servers got its strongswan-charon package upgraded from
6.0.1-5 to 6.0.1-6 last night. It has ipsec connections to another
trixie machine that's still using 6.0.1-5 and to a bookworm machine
that's using 5.9.8-5+deb12u1
No changes to the configuration happened for a while. Since the upgrade
happened, the host with 6.0.1-6 can't establish connection to the other
two hosts anymore. If I start the connection manually I can see the
followup output (peer IP replaced by 1.2.3.4; local IP replaced by 1.2.1.2):
ipsec up connection-name
initiating IKE_SA connection-name[6] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 1.2.1.2[500] to 1.2.3.4[500] (972 bytes)
received packet: from 1.2.3.4[500] to 1.2.1.2[500] (280 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
KDF_PRF with PRF_HMAC_SHA2_256 not supported
key derivation failed
establishing connection 'connection-name' failed
Is this an expected compatibility break or is that an unexpected regression?
-- System Information:
Debian Release: 13.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.38+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-charon depends on:
ii debconf [debconf-2.0] 1.5.91
ii iproute2 6.15.0-1
ii libc6 2.41-10
pn libstrongswan <none>
pn strongswan-libcharon <none>
pn strongswan-starter <none>
strongswan-charon recommends no packages.
strongswan-charon suggests no packages.
--- End Message ---
--- Begin Message ---
Source: strongswan
Source-Version: 6.0.2-1
Done: Yves-Alexis Perez <[email protected]>
We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <[email protected]> (supplier of updated strongswan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 Aug 2025 10:45:05 +0200
Source: strongswan
Architecture: source
Version: 6.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: strongSwan Maintainers <[email protected]>
Changed-By: Yves-Alexis Perez <[email protected]>
Closes: 1109942
Changes:
strongswan (6.0.2-1) unstable; urgency=medium
.
* New upstream version 6.0.2
- Fix support with OpenSSL 3.5.1+ (Closes: #1109942)
* install iptfs configuration in libstrongswan
* d/copyright updated with decopy
Checksums-Sha1:
f1fe348b1472d6a1ffb13b36241758d067c6896d 3179 strongswan_6.0.2-1.dsc
eeb32fa2cb3f18f32eb70dbe29459226d7ae7c0f 4876066 strongswan_6.0.2.orig.tar.bz2
710dcb13296afde7ae842c53d6ec5206d3d80de7 659 strongswan_6.0.2.orig.tar.bz2.asc
dfb31b2aeb54ecfeb3040dd567a23f34326347d8 128000
strongswan_6.0.2-1.debian.tar.xz
01beb624f7d81a47a6d2b9efd58d868129744a86 18301
strongswan_6.0.2-1_amd64.buildinfo
Checksums-Sha256:
b57b8b2753fcf51fbb4401af1dcfd55535aed2614aaeba468cb051bc42a3d4a0 3179
strongswan_6.0.2-1.dsc
b8bfc897b84001fd810a281918d6c9ce37503cae0f41b39c43d4aba0201277cf 4876066
strongswan_6.0.2.orig.tar.bz2
51276ad43969e40f627f94435e6681dc40a11ad3c3aec3924748e0f2f1bfe8af 659
strongswan_6.0.2.orig.tar.bz2.asc
185c9ee4f8c3197a9ea19a9e19de93f81eff2af3b29afea9985a417205421acc 128000
strongswan_6.0.2-1.debian.tar.xz
d562785ee1b032693a3204e0c582a720ef7245ce8957a9a15b2a76755c28a3a8 18301
strongswan_6.0.2-1_amd64.buildinfo
Files:
8a975287becaf0d87d979dce8de7d205 3179 net optional strongswan_6.0.2-1.dsc
f03a199f79d5d871ef8d6322a8411cf9 4876066 net optional
strongswan_6.0.2.orig.tar.bz2
2c091b3b98be39f84ecb6f65c1bdf4c4 659 net optional
strongswan_6.0.2.orig.tar.bz2.asc
e3bcb41472c588df3e9681b19d351456 128000 net optional
strongswan_6.0.2-1.debian.tar.xz
703864f9656926c1b5a8af0aa231f10c 18301 net optional
strongswan_6.0.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmioNGkACgkQ3rYcyPpX
RFus4Qf+LwK/lvZ9SIBlHhqpv9QoKZdGzGJnaUhJ/GxSjm7QqgDkPyJyXVVTqF0J
v5q3NIpBVuUl60rcUOHeWb29oUQUFglE5j8e69aDev0KHqe/HP2rUdHbSHSxMslA
TKHbjCzc4hODgcRfl7tU+d2mc2kcd8gP+IODxmO8+mbmsJwze0UnJkGmX+dwCIkX
IbQY+4XH8SkOLl1KTznWps3zRR+W2DonzSGsIfP+5CjhONcy1j+B81Mp0OIA2uzv
K18lBzR+2+ziZqfHS7CsI6rZQqUEHeGdsaZzuLp0+bdySHhghW4ShEjWGJlzdmDF
DeA6tLJRa4+IKNB7SD1TOmX8jdKm8w==
=9p+V
-----END PGP SIGNATURE-----
pgp96djpM5FeM.pgp
Description: PGP signature
--- End Message ---
