Package: strongswan-charon
Version: 6.0.1-6
Severity: important
Hello!
One of our servers got its strongswan-charon package upgraded from
6.0.1-5 to 6.0.1-6 last night. It has ipsec connections to another
trixie machine that's still using 6.0.1-5 and to a bookworm machine
that's using 5.9.8-5+deb12u1
No changes to the configuration happened for a while. Since the upgrade
happened, the host with 6.0.1-6 can't establish connection to the other
two hosts anymore. If I start the connection manually I can see the
followup output (peer IP replaced by 1.2.3.4; local IP replaced by 1.2.1.2):
ipsec up connection-name
initiating IKE_SA connection-name[6] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 1.2.1.2[500] to 1.2.3.4[500] (972 bytes)
received packet: from 1.2.3.4[500] to 1.2.1.2[500] (280 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
KDF_PRF with PRF_HMAC_SHA2_256 not supported
key derivation failed
establishing connection 'connection-name' failed
Is this an expected compatibility break or is that an unexpected regression?
-- System Information:
Debian Release: 13.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.38+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-charon depends on:
ii debconf [debconf-2.0] 1.5.91
ii iproute2 6.15.0-1
ii libc6 2.41-10
pn libstrongswan <none>
pn strongswan-libcharon <none>
pn strongswan-starter <none>
strongswan-charon recommends no packages.
strongswan-charon suggests no packages.
