[Swan] After update to libreswan 5.1 - cannot respond to IPsec SA request because no connection is known

Thu, 17 Oct 2024 02:50:28 -0700 

Hi,

I recently update my libreswan version from 5.0~rc3  to 5.1 and without 
touching the configuration I couldn’t connect.
The remote side is using Libreswan 5.0~rc3.
If I downgrade to the previous version, everything is fine. 


When connecting I got the error message:

Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500


I try to check from the changelog what could have change and adjust the 
configuration, but I don’t see it… can you help me?


My configuration:

# connection 'remotex_auth'
conn tunnel8-aggr
        aggrmode=yes
        also=tunnel8

conn tunnel8
        pfs=no
        type=tunnel
        auto=add
        ikev2=no
        phase2=esp
        authby=secret
        keyingtries=3
        ikelifetime=24h
        salifetime=24h
        left=82.100.127.28
        leftsubnet=0.0.0.0/0
        [email protected]
        right=%any
        rightid=%any
        rightaddresspool=192.168.20.100-192.168.20.254
        dpddelay=30
        dpdtimeout=300
        dpdaction=clear
        leftxauthserver=yes
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        fragmentation=yes
        xauthby=file


OK: Log  when connected using version 5.0~rc3:

Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: ISAKMP SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: 
Sending Username/Password request (MAIN_R3->XAUTH_R0)
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: 
password file authentication method requested to authenticate user 
'asilvapt@mad'
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: 
password file (/etc/ipsec.d/passwd) open.
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: 
success user(asilvapt@mad:(null))
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: User 
asilvapt@mad: Authentication Successful
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: XAUTH: 
xauth_inR1(STF_OK)
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: ISAKMP SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:16:02 sol1 pluto[882496]: pool 192.168.20.2-192.168.20.2: growing 
address pool from 0 to 1
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: 
modecfg_inR0(STF_OK)
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: sent ModeCfg 
reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:16:02 sol1 pluto[882496]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: responding to 
Quick Mode proposal {msgid:ba263d12}
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6:     us: 
0.0.0.0/0===82.100.127.28[@xauth.mad,MS+XS+S=C]  them: 
6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: sent Quick 
Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode 
{ESPinUDP=>0xe9f5842f <0xd60b0a38 xfrm=AES_CBC_128-HMAC_SHA1_96 
NATD=6.149.27.119:4500 DPD=active username=asilvapt@mad}
Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: 
STATE_QUICK_R1: retransmission; will wait 0.5 seconds for response
Oct 17 10:16:03 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: Warning: 
XAUTH username changed from '' to 'asilvaptmad'
Oct 17 10:16:03 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: Warning: 
XAUTH username changed from '' to 'asilvaptmad'
Oct 17 10:16:03 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: Warning: 
XAUTH username changed from '' to 'asilvaptmad'



ERROR: Full log when using version 5.1:
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119 #5: responding to 
Main Mode from unknown peer 6.149.27.119:500
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119 #5: sent Main 
Mode R1
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119 #5: sent Main 
Mode R2
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119 #5: Peer ID is 
ID_IPV4_ADDR: '192.168.1.60'
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119 #5: switched to 
"tunnel8"[6] 6.149.27.119
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[5] 6.149.27.119: deleting 
connection instance with peer 6.149.27.119
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: ISAKMP SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: 
Sending Username/Password request (MAIN_R3->XAUTH_R0)
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: 
password file authentication method requested to authenticate user 
'asilvapt@mad'
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: 
password file (/etc/ipsec.d/passwd) open.
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: 
success user(asilvapt@mad:(null))
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: User 
asilvapt@mad: Authentication Successful
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: XAUTH: 
xauth_inR1(STF_OK)
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: ISAKMP SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: pool 
192.168.20.2-192.168.20.2: growing address pool from 0 to 1
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: 
modecfg_inR0(STF_OK)
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sent ModeCfg 
reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:02 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:02 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:02 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:02 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:03 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:03 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:03 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:03 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:05 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:05 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:05 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:05 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:09 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:09 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:09 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:09 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500
Oct 17 10:15:17 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
proposed: 192.168.20.0/24===192.168.20.2/32
Oct 17 10:15:17 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
192.168.20.2/32
Oct 17 10:15:17 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
respond to IPsec SA request because no connection is known for 
192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
Oct 17 10:15:17 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: sending 
encrypted notification INVALID_ID_INFORMATION to 6.149.27.119:4500



—
Saludos / Regards / Cumprimentos
António Silva


_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to