[Swan] multinet with ikev2 not working

Mon, 22 Aug 2022 08:54:59 -0700 

Just trying to configure multinet IPSec VPN tunnel, but with no success.

The configuration with either of these subnets is working fine, but when
trying to bring up both sharing the IPSec SA, it does not work and I get
messages like these for the second connection:

[root@prd01a ipsec.d]# ipsec auto --up sp1
002 "sp1" #94: local ESP/AH proposals for sp1 (ESP/AH initiator emitting
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=ECP_384;ESN=DISABLED
139 "sp1" #94: STATE_V2_CREATE_I: sent IPsec Child req wait response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr
010 "sp1" #94: STATE_V2_CREATE_I: retransmission; will wait 0.5 seconds for
response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr
010 "sp1" #94: STATE_V2_CREATE_I: retransmission; will wait 1 seconds for
response
003 "sp1" #94: dropping unexpected CREATE_CHILD_SA message containing
INVALID_KE_PAYLOAD notification; message payloads: SK; encrypted payloads:
N; missing payloads: SA,Ni,TSi,TSr

Configuration is similar to this (rightsubnets):
conn sp1
        hostaddrfamily=ipv4
        clientaddrfamily=ipv4
        right=1.2.3.4
        rightsubnet=10.10.10.0/24
        #rightsubnets={10.10.10.0/24 10.20.20.0/24}
        left=100.64.7.8
        leftsubnet=100.64.7.0/24
        #ikev2
        leftauth=secret
        rightauth=secret
        ikev2=insist
        ike=aes256-sha256;dh20
        esp=aes256-sha256;dh20
        remote_peer_type=cisco
        salifetime=24h
        ikelifetime=24h
        dpdaction=restart
        dpdtimeout=60
        dpddelay=30
        auto=add

Is there anything I am missing or just not supported?
Server is running quite old SW on CentOS7 on the other side there is Cisco
ASA5555.
$ ipsec version
Linux Libreswan 3.25 (netkey) on 3.10.0-1160.el7.x86_64

The multinet testconfigurations have the "ikev2=no"
libreswan/east.conf at main · libreswan/libreswan · GitHub
<https://github.com/libreswan/libreswan/blob/main/testing/pluto/multinet-04/east.conf#L14>

not sure why.

Thank you for your hints.

Peter

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to