Re: [Swan-dev] Bug libreswan-5.0rc2

Armen Dilanyan via Swan-dev Wed, 20 Mar 2024 03:43:10 -0700

The "discarding" and "dropping" log lines? These aren't really
errors, or were you not seeing them before?

Previously, when RemoteAccess_user1 connected, the event logs showed the ID of RemoteAccess_user1

Feb 05 15:02:15 hostname pluto[8882]: "RemoteAccess_user1"[1] 1.1.1.1 #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1

Now, when RemoteAccess_user2 connects, the ID in the event logs is not RemoteAccess_user2, but the ID of the first one in the configuration file is Mikrotik_Mikrotik1.

Mar 20 15:23:21 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2 #394: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]

Mar 20 15:23:21 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2 #394: processed IKE_SA_INIT request from 2.2.2.2:UDP/500 {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}

Mar 20 15:23:22 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2 #394: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}

Mar 20 15:23:24 ngfw pluto[15469]: adding the CA+root cert <Root CA 1>

Mar 20 15:23:24 ngfw pluto[15469]: adding the CA+root cert <Root CA Libreswan>

Mar 20 15:23:24 ngfw pluto[15469]: adding the CA+root cert <Root CA 2>

Mar 20 15:23:24 ngfw pluto[15469]: adding the CA+root cert <Root CA 3>

Mar 20 15:23:24 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2 #394: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_PARENT_R1

Mar 20 15:23:24 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2 #394: switched to "RemoteAccess_user2"[12] 2.2.2.2

Mar 20 15:23:24 ngfw pluto[15469]: "Mikrotik_Mikrotik1/1x0"[121] 2.2.2.2: deleting connection instance with peer 2.2.2.2

Mar 20 15:23:24 ngfw pluto[15469]: "RemoteAccess_user2"[12] 2.2.2.2 #394: responder established IKE SA; authenticated peer certificate <certificate user2> and 4096-bit PKCS#1 1.5 RSA with SHA1 signature issued by '<Root CA Libreswan>'

Mar 20 15:23:24 ngfw pluto[15469]: "RemoteAccess_user2"[12] 2.2.2.2 #395: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_256_128-ESN:NO SPI=852c7742 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=NO[first-match]

Mar 20 15:23:24 ngfw pluto[15469]: "RemoteAccess_user2"[12] 2.2.2.2 #395: responder established Child SA using #394; IPsec tunnel [172.16.0.0/23===172.16.1.13/32] {ESPinUDP=>0x852c7742 <0x58b20e86 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATD=2.2.2.2:4500 DPD=active}

20.03.2024, 02:21, "Andrew Cagney" <[email protected]>:

On Sat, 16 Mar 2024 at 05:03, Armen Dilanyan <[email protected]> wrote:

Hi all.
Hi Andrew.
Yes, you are right, I did not enable debugging. I use one IP address in the pool, since users must have a static IP address. Configurations are below in the letter.

The debug logs should be gone in mainline.

I also discovered another bug. There were no such errors in version libreswan-5.0rc1.

The "discarding" and "dropping" log lines? These aren't really
errors, or were you not seeing them before?

_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan-dev] Bug libreswan-5.0rc2

Reply via email to