many issues were fixed, 3.15 is 6 years old. Please try to at least upgrade to 3.32
Paul On Tue, Oct 26, 2021 at 12:16 PM Frank Liu <[email protected]> wrote: > Thanks Paul! > Just noticed the version we are running is 3.15 on Amazon Linux1. When the > remote side (Cisco ASA) brings down the tunnel and back up again, libreswan > can't recover (see below libreswan config), filling with errors: > > Oct 26 15:29:24: "asa/0x4" #58794: max number of retransmissions (8) > reached STATE_QUICK_I1. No acceptable response to our first Quick Mode > message: perhaps peer likes no proposal > Oct 26 15:29:24: "asa/0x4" #58794: starting keying attempt 11 of an > unlimited number > Oct 26 15:29:24: "asa/0x4" #58820: initiating Quick Mode > PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to > replace #58794 {using isakmp#58549 msgid:8e7129f2 > proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no-pfs} > Oct 26 15:29:24: deleting state #58794 (STATE_QUICK_I1) > > Here is the libreswan 3.15 config. Is this a known issue fixed between > 3.15 and latest? > > conn asa > type=tunnel > authby=secret > left=... > leftid=... > leftsubnet=... > right=... > rightsubnets=... > keyexchange=ike > ikelifetime=86400s > salifetime=28800s > pfs=no > auto=start > dpddelay=10 > dpdtimeout=40 > dpdaction=restart > aggrmode=no > ike=aes256-sha1;modp1024 > phase2alg=aes256-sha1;modp1024 > > Thanks! > Frank > > On Tue, Oct 19, 2021 at 11:56 AM Paul Wouters <[email protected]> > wrote: > >> On Tue, 19 Oct 2021, Frank Liu wrote: >> >> > We are using libreswan 3.25 bundled with centos 7.9, having a tunnel >> with Cisco ASA with DPD >> > enabled. Occasionally, the tunnel stops working, and a manual restart >> of libreswan will >> > always be able to fix it. >> > >> > We are thinking of upgrading to the latest 4.5 from >> > https://download.libreswan.org/binaries/rhel/7/x86_64/ and see if it >> is more stable. Is 4.5 a >> > simple drop-in upgrade to 3.25 if we do rpm -U? >> >> It should be, yes. >> >> Note some defaults did change which might require tweaking your config >> files. A quick grep on the CHANGES file between 3.26 and 4.5 show: >> >> * pluto: Change default ikelifetime from 1h to 8h [Paul] >> * pluto: change default IKE SA lifetime from 1h to 8h [Paul] >> * IKEv2: Remove SHA1 from default proposal list [Paul] >> * IKEv2: Prefer RFC 7427 Digital Signatures for default authby=rsasig >> [Sahana] >> * pluto: Add chacha20_poly1305 and curve25519 to default proposals [Paul] >> * IKE: Change default connection from IKEv1 to IKEv2 [Paul] >> >> If you did not set ike2= before, meaning you were using IKEv1, you need >> to add ikev2=no >> >> Paul >> >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
