[Swan] Libreswan version 4.8 abort when connecting with ikev1 xauth with psk

Thu, 13 Oct 2022 07:29:43 -0700 

Hi,

I just update libreswan from version 4.7 to 4.8, but with the newest version I 
can’t establish a connection whit current configuration, it exit with status 
134.
Just revert to version 4.7 and everything working ok.



The log when trying to connect:

Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: responding to 
Main Mode from unknown peer 16.138.17.119:500
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode 
R1
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: sent Main Mode 
R2
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: Peer ID is 
ID_IPV4_ADDR: '192.168.1.60'
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119 #1: switched to 
"tunnel8"[2] 16.138.17.119
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[1] 16.138.17.119: deleting 
connection instance with peer 16.138.17.119 {isakmp=#0/ipsec=#0}
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: Sending 
Username/Password request (MAIN_R3->XAUTH_R0)
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password 
file authentication method requested to authenticate user '[email protected]'
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: password 
file (/etc/ipsec.d/passwd) open.
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: success 
user([email protected]:(null))
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: User 
[email protected]: Authentication Successful
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: XAUTH: 
xauth_inR1(STF_OK)
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: IKE SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}

Oct 13 15:44:04 sol pluto[3555]: | pool 192.168.20.2-192.168.20.2: growing 
address pool from 0 to 1
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: 
modecfg_inR0(STF_OK)
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: sent ModeCfg 
reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #1: the peer 
proposed: 192.168.20.0/24 -<all>-> 192.168.20.2/32
Oct 13 15:44:04 sol pluto[3555]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2: responding to 
Quick Mode proposal {msgid:537d8833}
Oct 13 15:44:04 sol pluto[3555]: "tunnel8"[2] 16.138.17.119 #2:     us: 
0.0.0.0/0===82.100.227.27[@xauth.lab,MS+XS+S=C]  them: 
16.138.17.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 13 15:44:04 sol pluto[3555]: ABORT: ASSERTION FAILED: 
pi->inbound.keymat.len == needed_len (compute_proto_keymat() +339 
/programs/pluto/ikev1_quick.c)
Oct 13 15:44:04 sol ipsec__plutorun[6759]: !pluto failure!:  exited with error 
status 134 (signal 6)
Oct 13 15:44:04 sol ipsec__plutorun[6761]: restarting IPsec after pause...



Server configuration: 
conn tunnel8-aggr
        aggrmode=yes
        also=tunnel8

conn tunnel8
        pfs=no
        type=tunnel
        auto=add
        ikev2=no
        phase2=esp
        authby=secret
        keyingtries=3
        ikelifetime=24h
        salifetime=24h
        left=82.100.227.27
        leftsubnet=0.0.0.0/0
        [email protected]
        right=%any
        rightid=%any
        rightaddresspool=192.168.20.100-192.168.20.254
        dpddelay=30
        dpdtimeout=300
        dpdaction=clear
        leftxauthserver=yes
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        fragmentation=yes
        xauthby=file




Cliente configuration (using libreswan 4.5)
conn tunnel1
        pfs=no
        type=tunnel
        auto=start
        ikev2=no
        phase2=esp
        authby=secret
        keyingtries=3
        ikelifetime=8h
        salifetime=8h
        left=192.168.1.60
        leftnexthop=16.138.17.119
        right=xauth.lab
        rightsubnet=192.168.20.0/24
        [email protected]
        dpddelay=30
        dpdtimeout=300
        dpdaction=restart
        leftxauthclient=yes
        leftmodecfgclient=yes
        [email protected]
        modecfgpull=yes
        fragmentation=yes
        ipsec-interface=yes


Thanks for the help.

Regards,
Antonio




_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to