search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
24.9k stars 6.28k forks source link

Error when changing leftsubnet to leftsubnets in /etc/ipsec.d/ikev2.conf #1218

Closed dxisto closed 2 years ago

dxisto commented 2 years ago

Describe the issue I'm trying to acomplished Split tunneling as described in the documentation but after editing ikev2.conf, removing line leftsubnet=0.0.0.0/0 and adding line leftsubnets="10.10.0.0/24,192.168.6.0/24" and restarting ipsec I can't connect anymore and logs show:

Aug 26 22:49:45 devel pluto[15977]: packet from XXX.XXX.XXX.XXX:500: ISAKMP_v2_IKE_SA_INIT message received on XXX.XXX.XXX.XXX:500 but no suitable connection found with IKEv2 policy Aug 26 22:49:45 devel pluto[15977]: packet from XXX.XXX.XXX.XXX:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN

If I return the leftsubnet line and restart ipsec the connection works fine

To Reproduce Steps to reproduce the behavior:

  1. Edit /etc/ipsec.d/ikev2.conf
  2. Restart ipsec: service ipsec restart

Server (please complete the following information)

Client (please complete the following information)

Additional context The same problem occurs with other clients type

hwdsl2 commented 2 years ago

@dxisto Hello! Please restart the IPsec service, then check the logs for errors at the time of adding the IKEv2 connection. There should be more details in the logs regarding why the connection failed to add.

dxisto commented 2 years ago

Here is the complete log when restarting:

Aug 27 00:34:12 devel polkitd[584]: Registered Authentication Agent for unix-process:17161:1123816 (system bus name :1.90 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Aug 27 00:34:12 devel pluto[17155]: shutting down Aug 27 00:34:12 devel pluto[17155]: Pluto is shutting down Aug 27 00:34:12 devel pluto[17155]: forgetting secrets Aug 27 00:34:12 devel pluto[17155]: shutting down interface lo [::1]:500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface lo 127.0.0.1:4500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface lo 127.0.0.1:500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth0 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth0 xxx.xxx.xxx.xxx:500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth0 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth0 xxx.xxx.xxx.xxx:500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth1 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:12 devel pluto[17155]: shutting down interface eth1 xxx.xxx.xxx.xxx:500 Aug 27 00:34:12 devel pluto[17155]: leak: 3 libevent_malloc, item size: 40 Aug 27 00:34:12 devel pluto[17155]: leak detective found 3 leaks, total size 40 Aug 27 00:34:13 devel pluto[17450]: Initializing NSS using read-write database "sql:/etc/ipsec.d" Aug 27 00:34:13 devel pluto[17450]: FIPS Mode: NO Aug 27 00:34:13 devel pluto[17450]: NSS crypto library initialized Aug 27 00:34:13 devel pluto[17450]: FIPS mode disabled for pluto daemon Aug 27 00:34:13 devel pluto[17450]: FIPS HMAC integrity support [disabled] Aug 27 00:34:13 devel pluto[17450]: libcap-ng support [enabled] Aug 27 00:34:13 devel pluto[17450]: Linux audit support [disabled] Aug 27 00:34:13 devel pluto[17450]: Starting Pluto (Libreswan Version 4.7 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-PRF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:17450 Aug 27 00:34:13 devel pluto[17450]: core dump dir: /run/pluto Aug 27 00:34:13 devel pluto[17450]: secrets file: /etc/ipsec.secrets Aug 27 00:34:13 devel pluto[17450]: leak-detective enabled Aug 27 00:34:13 devel pluto[17450]: NSS crypto [enabled] Aug 27 00:34:13 devel pluto[17450]: XAUTH PAM support [enabled] Aug 27 00:34:13 devel pluto[17450]: initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500) Aug 27 00:34:13 devel pluto[17450]: NAT-Traversal support [enabled] Aug 27 00:34:13 devel pluto[17450]: Encryption algorithms: Aug 27 00:34:13 devel pluto[17450]: AES_CCM_16 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Aug 27 00:34:13 devel pluto[17450]: AES_CCM_12 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Aug 27 00:34:13 devel pluto[17450]: AES_CCM_8 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Aug 27 00:34:13 devel pluto[17450]: 3DES_CBC [192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Aug 27 00:34:13 devel pluto[17450]: CAMELLIA_CTR {256,192,128} IKEv1: ESP IKEv2: ESP Aug 27 00:34:13 devel pluto[17450]: CAMELLIA_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Aug 27 00:34:13 devel pluto[17450]: AES_GCM_16 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Aug 27 00:34:13 devel pluto[17450]: AES_GCM_12 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Aug 27 00:34:13 devel pluto[17450]: AES_GCM_8 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Aug 27 00:34:13 devel pluto[17450]: AES_CTR {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Aug 27 00:34:13 devel pluto[17450]: AES_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Aug 27 00:34:13 devel pluto[17450]: NULL_AUTH_AES_GMAC {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Aug 27 00:34:13 devel pluto[17450]: NULL [] IKEv1: ESP IKEv2: ESP Aug 27 00:34:13 devel pluto[17450]: CHACHA20_POLY1305 [256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Aug 27 00:34:13 devel pluto[17450]: Hash algorithms: Aug 27 00:34:13 devel pluto[17450]: MD5 IKEv1: IKE IKEv2: NSS Aug 27 00:34:13 devel pluto[17450]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Aug 27 00:34:13 devel pluto[17450]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Aug 27 00:34:13 devel pluto[17450]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Aug 27 00:34:13 devel pluto[17450]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Aug 27 00:34:13 devel pluto[17450]: IDENTITY IKEv1: IKEv2: FIPS Aug 27 00:34:13 devel pluto[17450]: PRF algorithms:Aug 27 00:34:13 devel pluto[17450]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Aug 27 00:34:13 devel pluto[17450]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Aug 27 00:34:13 devel pluto[17450]: Integrity algorithms: Aug 27 00:34:13 devel pluto[17450]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 27 00:34:13 devel pluto[17450]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 27 00:34:13 devel pluto[17450]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 27 00:34:13 devel pluto[17450]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 27 00:34:13 devel pluto[17450]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 27 00:34:13 devel pluto[17450]: DH algorithms: Aug 27 00:34:13 devel pluto[17450]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Aug 27 00:34:13 devel pluto[17450]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 Aug 27 00:34:13 devel pluto[17450]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Aug 27 00:34:13 devel pluto[17450]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Aug 27 00:34:13 devel pluto[17450]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Aug 27 00:34:13 devel pluto[17450]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Aug 27 00:34:13 devel pluto[17450]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Aug 27 00:34:13 devel pluto[17450]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Aug 27 00:34:13 devel pluto[17450]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Aug 27 00:34:13 devel pluto[17450]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Aug 27 00:34:13 devel pluto[17450]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Aug 27 00:34:13 devel pluto[17450]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Aug 27 00:34:13 devel pluto[17450]: IPCOMP algorithms: Aug 27 00:34:13 devel pluto[17450]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS Aug 27 00:34:13 devel pluto[17450]: LZS IKEv1: IKEv2: ESP AH FIPS Aug 27 00:34:13 devel pluto[17450]: LZJH IKEv1: IKEv2: ESP AH FIPS Aug 27 00:34:13 devel pluto[17450]: testing CAMELLIA_CBC: Aug 27 00:34:13 devel pluto[17450]: Camellia: 16 bytes with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Camellia: 16 bytes with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Camellia: 16 bytes with 256-bit key Aug 27 00:34:13 devel pluto[17450]: Camellia: 16 bytes with 256-bit key Aug 27 00:34:13 devel pluto[17450]: testing AES_GCM_16: Aug 27 00:34:13 devel pluto[17450]: empty string Aug 27 00:34:13 devel pluto[17450]: one block Aug 27 00:34:13 devel pluto[17450]: two blocks Aug 27 00:34:13 devel pluto[17450]: two blocks with associated data Aug 27 00:34:13 devel pluto[17450]: testing AES_CTR: Aug 27 00:34:13 devel pluto[17450]: Encrypting 16 octets using AES-CTR with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 32 octets using AES-CTR with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 36 octets using AES-CTR with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 16 octets using AES-CTR with 192-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 32 octets using AES-CTR with 192-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 36 octets using AES-CTR with 192-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 16 octets using AES-CTR with 256-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 32 octets using AES-CTR with 256-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 36 octets using AES-CTR with 256-bit key Aug 27 00:34:13 devel pluto[17450]: testing AES_CBC: Aug 27 00:34:13 devel pluto[17450]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 27 00:34:13 devel pluto[17450]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 27 00:34:13 devel pluto[17450]: testing AES_XCBC: Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Aug 27 00:34:13 devel pluto[17450]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 27 00:34:13 devel pluto[17450]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 27 00:34:13 devel pluto[17450]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 27 00:34:13 devel pluto[17450]: testing HMAC_MD5: Aug 27 00:34:13 devel pluto[17450]: RFC 2104: MD5_HMAC test 1 Aug 27 00:34:13 devel pluto[17450]: RFC 2104: MD5_HMAC test 2 Aug 27 00:34:13 devel pluto[17450]: RFC 2104: MD5_HMAC test 3 Aug 27 00:34:13 devel pluto[17450]: 1 CPU cores online Aug 27 00:34:13 devel pluto[17450]: starting up 1 helper threads Aug 27 00:34:13 devel pluto[17450]: started thread for helper 0 Aug 27 00:34:13 devel pluto[17450]: using Linux xfrm kernel support code on

1 SMP Wed Aug 10 16:21:17 UTC 2022

Aug 27 00:34:13 devel pluto[17450]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Aug 27 00:34:13 devel pluto[17450]: watchdog: sending probes every 100 secs Aug 27 00:34:13 devel pluto[17450]: seccomp security not supported Aug 27 00:34:13 devel pluto[17450]: helper(1) seccomp security for helper not supported Aug 27 00:34:13 devel pluto[17450]: "l2tp-psk": added IKEv1 connection Aug 27 00:34:13 devel pluto[17450]: "xauth-psk": added IKEv1 connection Aug 27 00:34:13 devel pluto[17450]: listening for IKE messages Aug 27 00:34:13 devel pluto[17450]: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed) Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth1 xxx.xxx.xxx.xxx:500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth1 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth0 xxx.xxx.xxx.xxx:500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth0 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth0 xxx.xxx.xxx.xxx:500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface eth0 xxx.xxx.xxx.xxx:4500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface lo 127.0.0.1:500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface lo 127.0.0.1:4500 Aug 27 00:34:13 devel pluto[17450]: adding UDP interface lo [::1]:500 Aug 27 00:34:13 devel pluto[17450]: loading secrets from "/etc/ipsec.secrets"

Em sáb., 27 de ago. de 2022 às 00:22, Lin Song @.***> escreveu:

@dxisto https://github.com/dxisto Hello! Please restart the IPsec service, then check the logs for errors at the time of adding the IKEv2 connection. There should be more details in the logs regarding why the connection failed to add.

— Reply to this email directly, view it on GitHub https://github.com/hwdsl2/setup-ipsec-vpn/issues/1218#issuecomment-1229111698, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA3YX65MBOUWEEYI4XACHQTV3GCV7ANCNFSM57YPY66Q . You are receiving this because you were mentioned.Message ID: @.***>

hwdsl2 commented 2 years ago

@dxisto I was able to reproduce this issue, and I think it is probably a bug in Libreswan. I filed https://github.com/libreswan/libreswan/issues/832 which we can follow instead of this issue.