Re: [Swan-dev] Bug libreswan-5.0rc2

Sat, 16 Mar 2024 02:09:37 -0700

Hi all.
Hi Andrew.
Yes, you are right, I did not enable debugging. I use one IP address in the pool, since users must have a static IP address. Configurations are below in the letter.
I also discovered another bug. There were no such errors in version libreswan-5.0rc1.
 
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 1 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 2 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 3 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 4 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 5 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 6 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 1 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 2 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 3 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 4 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 5 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 6 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[4] 4.4.4.4 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match]
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 1 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 2 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 3 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 4 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 5 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 6 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 1 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 2 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 3 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 4 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 5 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: dropping fragment 6 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 2 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 3 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 4 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 5 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: dropping fragment 6 of 6 as repeat
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: processing decrypted IKE_AUTH request: SK{IDi,CERT,IDr,AUTH,N(MOBIKE_SUPPORTED),SA,CP,TSi,TSr}
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[1] 2.2.2.2 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,IDr,AUTH,SA,CP,TSi,TSr}
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[4] 4.4.4.4 #4: processed IKE_SA_INIT request from 4.4.4.4:UDP/14985 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:29 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[2] 3.3.3.3 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1
Mar 16 13:27:30 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: reloaded private key matching left certificate 'hostname.example.com'
Mar 16 13:27:30 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1 #3: switched to "RemoteAccess_alm-zhambyl-rayon-zhambyl-so-akimat/1x0"[1] 1.1.1.1
Mar 16 13:27:30 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[3] 1.1.1.1: deleting connection instance with peer 1.1.1.1
 
 
Mar 16 13:28:06 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[6] 5.5.5.5 #14: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
Mar 16 13:28:06 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[6] 5.5.5.5 #14: processed IKE_SA_INIT request from 5.5.5.5:UDP/278 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Mar 16 13:28:06 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[6] 5.5.5.5 #14: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Mar 16 13:28:06 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[6] 5.5.5.5 #14: switched to "RemoteAccess_user2/1x0"[1] 5.5.5.5
Mar 16 13:28:06 hostname pluto[18478]: "Mikrotik_Mikrotik1/1x0"[6] 5.5.5.5: deleting connection instance with peer 5.5.5.5
Mar 16 13:28:06 hostname pluto[18478]: "RemoteAccess_user2/1x0"[1] 5.5.5.5 #14: responder established IKE SA; authenticated peer certificate <certificate user3> and 4096-bit PKCS#1 1.5 RSA with SHA1 signature issued by <Root CA Libreswan>
Mar 16 13:28:06 hostname pluto[18478]: | pool 172.16.1.2-172.16.1.2: growing address pool from 0 to 1
Mar 16 13:28:06 hostname pluto[18478]: "RemoteAccess_user2/1x0"[1] 5.5.5.5 #15: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_256_128-ESN:NO SPI=93b53da6 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=NO[first-match]
Mar 16 13:28:06 hostname pluto[18478]: "RemoteAccess_user2/1x0"[1] 5.5.5.5 #15: responder established Child SA using #14; IPsec tunnel [172.16.0.0/23===172.16.1.2/32] {ESPinUDP=>0x93b53da6 <0x80957464 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATD=5.5.5.5:4806 DPD=active}
 
cat /etc/ipsec.conf | grep -v "#" | grep -v "^$"
config setup
    nssdir=/etc/ipsec.d/nss/
include /etc/ipsec.d/*.conf
 
cat /etc/ipsec.d/myipsec.conf
conn Mikrotik
    authby=rsasig
    pfs=yes
    auto=add
    rekey=yes
    left=%defaultroute
    leftid=%fromcert
    leftcert=vpn.example.com
    leftsendcert=always
    leftrsasigkey=%cert
    dpddelay=1m
    retransmit-timeout=5m
    fragmentation=yes
    encapsulation=auto
    ike=aes256-sha2_256;dh14
    phase2=esp
    phase2alg=aes256-sha2_256;dh14
    salifetime=24h
    type=tunnel
    ikelifetime=8h
    mobike=yes
conn Mikrotik_Mikrotik1
    also=Mikrotik
    leftsubnets={172.16.0.0/23 10.0.0.0/29 192.168.88.0/24}
    right=%any
    rightca=<Root CA Mikrotik1>
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=10.1.164.0/24
    mtu=1390
conn Mikrotik_Mikrotik2
    also=Mikrotik
    leftsubnets={172.16.0.0/23 10.0.0.0/29 10.1.164.0/24}
    right=%any
    rightca=<Root CA Mikrotik2>
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=192.168.88.0/24
    mtu=1390
conn Mikrotik_Mikrotik3
    also=Mikrotik
    leftsubnets={172.16.0.0/23 192.168.88.0/24 10.1.164.0/24}
    right=%any
    rightca=<Root CA Mikrotik3>
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=10.0.0.0/29
    mtu=1390
 
conn RemoteAccess
    authby=rsasig
    pfs=yes
    auto=add
    rekey=yes
    left=%defaultroute
    leftcert=vpn.example.com
    leftsendcert=always
    leftrsasigkey=%cert
    leftmodecfgserver=yes
    right=%any
    rightca=%same
    rightrsasigkey=%cert
    rightmodecfgclient=yes
    modecfgpull=yes
    dpddelay=1m
    retransmit-timeout=5m
    fragmentation=yes
    encapsulation=auto
    ike=aes256-sha2_256;dh14
    phase2=esp
    phase2alg=aes256-sha2_256;dh14
    salifetime=24h
    type=tunnel
    ikelifetime=8h
    mobike=yes
conn RemoteAccess_user1
    also=RemoteAccess
    leftsubnet=172.16.0.0/23
    rightid=<certificate user1>
    rightaddresspool=172.16.1.1-172.16.1.1
    mtu=1390
conn RemoteAccess_user2
    also=RemoteAccess
    leftsubnets=172.16.0.0/23,192.168.88.0/24,10.0.0.0/29
    rightid=<certificate user2>
    rightaddresspool=172.16.1.2-172.16.1.2
    mtu=1390
conn RemoteAccess_user3
    also=RemoteAccess
    leftsubnets={172.16.0.0/23 10.0.0.0/29}
    rightid=<certificate user3>
    rightaddresspool=172.16.1.3-172.16.1.3
    mtu=1390
conn RemoteAccess_user4
    also=RemoteAccess
    leftsubnet=172.16.0.0/23
    rightid=<certificate user4>
    rightaddresspool=172.16.1.4-172.16.1.4
    mtu=1390
 
 
 
16.03.2024, 04:03, "Andrew Cagney" <[email protected]>:

See https://github.com/libreswan/libreswan/issues/1653

On Fri, 15 Mar 2024 at 11:27, Andrew Cagney <[email protected]> wrote:


 I assume you don't have debugging enabled (ya).
 It looks like liveness messages which aren't normally logged. Please
 file a bug and thanks for pointing this out.

 On Fri, 15 Mar 2024 at 05:48, Armen Dilanyan via Swan-dev
 <[email protected]> wrote:
 >
 > Hi all.
 > I have Debian 12.5 operating system installed.
 > I compiled and installed Libreswan 5.0~rc2.
 > In my logs I get the following messages:
 >
 > Mar 15 13:42:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:43:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:44:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:45:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:45:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 > Mar 15 13:46:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:46:51 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #515's message queue
 > Mar 15 13:47:03 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #508's message queue
 > Mar 15 13:47:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:47:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 > Mar 15 13:47:51 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #515's message queue
 > Mar 15 13:48:10 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #521's message queue
 > Mar 15 13:48:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:49:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:49:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 > Mar 15 13:50:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:51:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:51:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 > Mar 15 13:52:10 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #521's message queue
 > Mar 15 13:52:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:53:11 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #521's message queue
 > Mar 15 13:53:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:53:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 > Mar 15 13:54:03 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #508's message queue
 > Mar 15 13:54:11 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #521's message queue
 > Mar 15 13:54:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:55:26 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #488's message queue
 > Mar 15 13:55:36 hostname pluto[2135]: | adding INFORMATIONAL request to IKE SA #502's message queue
 >
 > Is this a bug or normal?
 > _______________________________________________
 > Swan-dev mailing list
 > [email protected]
 > https://lists.libreswan.org/mailman/listinfo/swan-dev
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to