I tracked the regression to addconn. You will see difference ipsec status after adding the connection: v2-auth-hash-policy: none with "none" the initiator will only propose RSASIG-v1.5. Before it was proposing Digital signature, rsa-sha2_512.
seemingly unrelated one line change to a conn changes v2-auth-hash-policy. failureshunt=passthrough will cause this change. here is output from ikev2-x509-38-failureshunt 000 "westnet-eastnet": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet": policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5; 000 "westnet-eastnet": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "failureshunt": our auth:rsasig, their auth:rsasig 000 "failureshunt": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5+failurePASS; 000 "failureshunt": v2-auth-hash-policy: none; I pushed a testcase, ikev2-x509-38-failureshunt, to verify the effect of "failureshunt=passthrough". And will I look at the code tomorrow. There is more to this regression, some test cases, say ikev2-liveness-11-silent, see the output diff link bellow, changed from RSASIG-v1.5 to rsa-sha2_512. between e79e3fcce4(before xfrmi) - 0eb65623(after xfrmi) Tuomo verified change to SHA2-512 on his laptop. It was doing SHA1 with e79e3fcce4 and after xfrmi merge, 0eb65623, it is proposing rsa-sha2_512. I think he can also reproduce with his connection failureshunt=passthrough will change v2-auth-hash-policy: none; https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/OUTPUT/east.console.txt https://testing.libreswan.org/v3.28-1518-gf5cfad54a3-master/ikev2-x509-38-failureshunt/east.conf Note: I could not reproduce it on other x509 configurations. Some simple config without also lines does not seems to change with failureshunt=passthrough. On Sun, Jan 26, 2020 at 12:40:42PM +0100, Antony Antony wrote: > after xfrmi merge a change IPsec algorithm was noticed. Sorry I didn't > notice this on xfrmi branch alone. > > Careful committing new console outputs before this is fixed. If you commit > new outputs now once this regression is fixed those tests may flip back. > > cagney: is pointing at commit 32e11cc9b4946ab6e655485993700a67cf4e784a I am > not sure, I will get to it today. I will take look tomorrow. I have a > feeling he is right:) Thanks cagney. > https://testing.libreswan.org/v3.28-1515-g43fdc02c8c-master/certoe-03-poc-whack/OUTPUT/road.console.diff > -003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated using > RSA with IKEv2_AUTH_HASH_SHA2_512 > +003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: Authenticated using > RSA with IKEv2_AUTH_HASH_SHA1 > > Also note some flipped the other way. > https://testing.libreswan.org/v3.28-1499-g0eb656232d-master/ikev2-liveness-11-silent/OUTPUT/west.console.diff > > -003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA1 > +003 "west-east" #2: Authenticated using RSA with IKEv2_AUTH_HASH_SHA2_512 > > -antony > _______________________________________________ > Swan-dev mailing list > Swan-dev@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev