Hello, We are trying to create a host-to-subnet tunnel and are getting an error message that we do not understand.
The high-level overview is as follows: - The server is the subnet side of the host-to-subnet - The server subnet is 172.16.110.0/24 - The server IP is 10.1.98.208 - The client is the host side of the host-to-subnet - The client IP is 10.1.98.152 Here are the configs (Notice the client is configured with nmstate (yaml)): Server config: conn server01.cnf.com # "right" is client right=10.1.98.152 rightid=%fromcert rightrsasigkey=%cert # "left" is server left=10.1.98.208 leftid=%fromcert leftrsasigkey=%cert leftcert=server01.cnf.com leftsubnet=172.16.110.0/24 ike=aes_gcm256-sha2_256 esp=aes_gcm256 ikev2=insist auto=start dpddelay: 5 dpdtimeout: 30 dpdaction: clear Client config: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: # "right" is the server config right: 10.1.98.208 rightid: '%fromcert' rightrsasigkey: '%cert' rightsubnet: 172.16.110.0/24 # "left" is the client config left: 10.1.98.152 leftid: '%fromcert' leftrsasigkey: '%cert' leftcert: client01.cnf.com ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist dpddelay: 5 dpdtimeout: 30 dpdaction: clear The version on both the client and the server are the same: [cloud-user@saledortvm2 ipsec]$ ipsec version Libreswan 4.12 [cloud-user@saledortvm ipsec]$ ipsec version Libreswan 4.12 Here is the server-side log: Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": IKE SA proposals (connection add): Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": Child SA proposals (connection add): Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": 1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": loaded private key matching left certificate 'server01.cnf.com' Feb 15 06:15:43 saledortvm2 pluto[70624]: "server01.cnf.com": added IKEv2 connection Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048} Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: processing decrypted IKE_AUTH request: SK{IDi,CERT,AUTH,CP,SA,TSi,TSr} Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: responder established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=client01.cnf.com, O=CNF' issued by CA 'CN=cnfca.cnf.com, O=CNF' Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: proposal 1:ESP=AES_GCM_C_256-ENABLED SPI=a359e685 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match] Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: responder established Child SA using #2; IPsec tunnel [172.16.110.0-172.16.110.255:0-65535 0] -> [10.1.98.152-10.1.98.152:0-65535 0] {ESP/ESN=>0xa359e685 <0x95b3f5ee xfrm=AES_GCM_16_256-NONE DPD=active} Feb 15 06:15:48 saledortvm2 pluto[70624]: "server01.cnf.com" #3: ESP traffic information: in=0B out=0B Feb 15 06:16:48 saledortvm2 pluto[70624]: "server01.cnf.com" #2: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 60.000795s and NOT sending notification Here is the client-side log: Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": IKE SA proposals (connection add): Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": 1:IKE=AES_GCM_C_256-HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": Child SA proposals (connection add): Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": 1:ESP=AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": loaded private key matching left certificate 'client01.cnf.com' Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278": added IKEv2 connection Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiating IKEv2 connection Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_SA_INIT request to 10.1.98.208:500 Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_256 group=MODP2048} Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate 'CN=server01.cnf.com, O=CNF' issued by CA 'CN= cnfca.cnf.com, O=CNF' Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: missing v2CP reply, not attempting to setup child SA Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: IKE SA established but initiator rejected Child SA response Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: deleting larval Child SA using IKE SA #1 Feb 15 06:15:48 saledortvm pluto[112986]: ERROR: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #2: netlink response for Del SA esp.95b3f5ee@10.1.98.208: No such process (errno 3) Feb 15 06:15:48 saledortvm pluto[112986]: "da0c29c1-b9cf-45ba-b928-2278fd5fa278" #1: received delete request for IKEv2_SEC_PROTO_ESP SA(0x95b3f5ee) but corresponding state not found What do these 2 error messages on the client mean? #2: missing v2CP reply, not attempting to setup child SA #1: IKE SA established but initiator rejected Child SA response Regards, *Brady Johnson* Principal Software Engineer Telco Solutions & Enablement brady.john...@redhat.com
_______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev