[Swan] Re: After update to libreswan 5.1 - cannot respond to IPsec SA request because no connection is known

Thu, 17 Oct 2024 08:29:53 -0700 

Hi Andrew,

Thanks for the detail info.

If it helps to reproduce and close the issue, my adicional setup is:

Debian: 11.11  
Linux kernel: 
5.10.226

User in /etc/ipsec.d/passwd: 
asilvapt@mad:$6$W27QzNXfRvCY$F.ea5ytgP/sdsdsds::192.168.20.2 


If you need more info, please let me know.


—
Saludos / Regards / Cumprimentos
António Silva

> On 17 Oct 2024, at 16:09, Andrew Cagney <[email protected]> wrote:
> 
> 5.1 fixed this bug:
>  - fix Quick mode installing 0.0.0.0/0 when no MSG_CONFIG exchange
> [Andrew, Tuomo]
> It was exposed in 5.0 (kernel policy was set to 0.0.0.0/0) but 4.x was
> also broken (it installed the peer's host address).
> 
> I suspect this is a similar problem.
> 
> 
>> left=82.100.127.28
>> right=%any
>> leftsubnet=0.0.0.0/0
>> rightaddresspool=192.168.20.100-192.168.20.254
> 
> Here's the start of quick mode.
> 
>> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #5: the peer 
>> proposed: 192.168.20.0/24===192.168.20.2/32
>> Oct 17 10:16:02 sol1 pluto[882496]: |   checking hostpair 0.0.0.0/0 -> 
>> 192.168.20.2/32
> 
> It's looking for a host-pair matching 0.0.0.0/0 -> 192.168.20.2/32.
> That's wrong -  192.168.20.2/32 is not the peer's host address.  Yet,
> somehow, it stumbled on:
> 
>> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6: responding 
>> to Quick Mode proposal {msgid:ba263d12}
>> Oct 17 10:16:02 sol1 pluto[882496]: "tunnel8"[4] 6.149.27.119 #6:     us: 
>> 0.0.0.0/0===82.100.127.28[@xauth.mad,MS+XS+S=C]  them: 
>> 6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
> 
> However, in 5.1:
> 
>> Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: the peer 
>> proposed: 192.168.20.0/24===192.168.20.2/32
>> Oct 17 10:15:01 sol1 pluto[855951]: |   checking hostpair 0.0.0.0/0 -> 
>> 192.168.20.2/32
>> Oct 17 10:15:01 sol1 pluto[855951]: "tunnel8"[6] 6.149.27.119 #5: cannot 
>> respond to IPsec SA request because no connection is known for 
>> 192.168.20.0/24===82.100.127.28[@xauth.mad,MS+XS+S=C]...6.149.27.119[192.168.1.60,+MC+XC+S=C]===192.168.20.2/32
> 
> that failed.
> 
> I'd file a bug.


_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to