Bug #4202
closed
IPsec - completely broken after last round of changes
100%
Description
Had perfectly working IKEv2 Mutual RSA configurations. After last round of messing with IPSec (presumably related to the reqid's), nothing works on Jan 10 snapshots, not even simple staff with a single P2.
Jan 12 11:34:40 ipsec_starter[46113]: Jan 12 11:34:40 ipsec_starter[46113]: 'con1' routed Jan 12 11:34:40 ipsec_starter[46113]: Jan 12 11:34:40 ipsec_starter[46113]: configuration 'con1' unrouted Jan 12 11:31:06 ipsec_starter[46113]: Jan 12 11:31:06 ipsec_starter[46113]: 'con1' routed Jan 12 11:31:06 ipsec_starter[46113]: Jan 12 11:31:06 ipsec_starter[46113]: configuration 'con1' unrouted Jan 12 11:31:05 ipsec_starter[46113]: Jan 12 11:31:05 ipsec_starter[46113]: 'con1' routed Jan 12 11:31:05 ipsec_starter[46113]: Jan 12 11:31:05 ipsec_starter[46113]: configuration 'con1' unrouted Jan 12 11:29:19 ipsec_starter[46113]: Jan 12 11:29:19 ipsec_starter[46113]: 'con1' routed Jan 12 11:29:19 ipsec_starter[46113]: Jan 12 11:29:19 ipsec_starter[46113]: configuration 'con1' unrouted Jan 12 10:00:46 ipsec_starter[46113]: Jan 12 10:00:46 ipsec_starter[46113]: 'con1' routed Jan 12 10:00:46 ipsec_starter[46113]: Jan 12 10:00:46 ipsec_starter[46113]: configuration 'con1' unrouted Jan 12 10:00:14 ipsec_starter[46113]: Jan 12 10:00:14 ipsec_starter[46113]: 'con1' routed Jan 12 10:00:14 ipsec_starter[46113]: Jan 12 10:00:14 ipsec_starter[46113]: configuration 'con1' unrouted
is all that the previously perfectly working config managed to produce. :-(
Updated by Ermal Luçi over 9 years ago
- Status changed from New to Rejected
I am sorry this is not something you call a bug report.
Please provide the contents of your /var/etc/ipsec and your ipsec and system log.
I would advise to start from the forum!
Updated by Kill Bill over 9 years ago
The IPsec log is above. There is nothing relevant in system log. Relevant configuration from both endpoints:
conn con1
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = xx.xx.xx.xx
right = yy.yy.yy.yy
leftid = asn1dn:
ikelifetime = 28800s
lifetime = 3600s
ike = aes128-sha1-modp1024!
esp = aes128-sha1-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
rightid = asn1dn:
rightsubnet = 10.0.0.0/24
leftsubnet = 192.168.0.0/24
conn con3
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = yy.yy.yy.yy
right = xx.xx.xx.xx
leftid = asn1dn:
ikelifetime = 28800s
lifetime = 3600s
ike = aes128-sha1-modp1024!
esp = aes128-sha1-modp1024!
leftauth = pubkey
rightauth = pubkey
leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt
rightid = asn1dn:
rightsubnet = 192.168.0.0/24
leftsubnet = 10.0.0.0/24
Again, this was perfectly working across many previous snapshots, until recently.
Updated by Ermal Luçi over 9 years ago
Well your problem is on
leftid = asn1dn:
What do you have configured as leftid?
Updated by Ermal Luçi over 9 years ago
- Status changed from Rejected to Feedback
Just pushed a commit for this.
Thx for the catch.
Updated by Ermal Luçi over 9 years ago
- % Done changed from 0 to 100
Applied in changeset 83b8ed6b2bec13d3b60acd9bd4786e5a7df4de90.
Updated by Ermal Luçi over 9 years ago
Applied in changeset 324311043385aed357ca8838bde2c3af3111e564.
Updated by Chris Buechler over 9 years ago
- Status changed from Feedback to Resolved
that looks like the only issue that existed here and that works fine now.