On 7/28/25 11:34 PM, Chris Hofstaedtler wrote:
reopen 1109942
affects 1110055 strongswan-charon
thanks
On Mon, Jul 28, 2025 at 05:30:00PM -0500, Marc Clemente wrote:
Upgrading libssl3t64 from 3.5.0-2 to 3.5.1-1 breaks strongswan (6.0.1-6). This
is reproduced on armel and armhf architectures. I was unable to reproduce it
on amd64.
root@raspberry:~# dpkg -l | grep libssl3t64
ii libssl3t64:armhf 3.5.1-1 armhf
Secure Sockets Layer toolkit - shared libraries
root@raspberry:~# swanctl -i -c chronos
[..]
[IKE] local host is behind NAT, sending keep alives
[IKE] KDF_PRF with PRF_HMAC_SHA2_256 not supported
[IKE] key derivation failed
initiate failed: establishing CHILD_SA 'chronos' failed
This is probably #1109942, which was closed, but has relevant info.
Maybe you can take a look at that too.
Yes. Same thing. I don't know how the original submitter of #1109942
solved their problem.
I solved mine by downgrading libssl3t64.
I was also able to replicate the problem on amd64.
Also, if libstrongswan-extra-plugins is installed, then this "bug" does
not manifest itself. So that's another workaround.
Upgrading strongswan to 6.0.2 is not an option at this time (not
available on the repository).
