Bug 1153548
| Summary: | [TAHI][IKEv2] IKEv2.EN.I.2.1.1.1: Sending IKE_AUTH request failed | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Hangbin Liu <haliu> | ||||
| Component: | libreswan | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Hangbin Liu <haliu> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.1 | CC: | amarecek, haliu, pwouters | ||||
| Target Milestone: | alpha | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-01-28 17:56:04 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Hangbin Liu
2014-10-16 07:59:15 UTC
Traffic Selector
OK type: (received: IPV6_ADDR_RANGE, expected: IPV6_ADDR_RANGE, comp: eq)
OK protocol: (received: 0, expected: 0, comp: eq)
OK selectorLen: (received: 40, expected: any, comp: already checked)
OK sport: (received: 0, expected: 0, comp: eq)
OK eport: (received: 65535, expected: 65535, comp: eq)
NG saddr: (received: 20010DB8 000F0001 00000000 00000001, expected: 20010DB8 000F0002 00000000 00000000, comp: eq)
NG eaddr: (received: 20010DB8 000F0001 00000000 00000001, expected: 20010DB8 000F0002 FFFFFFFF FFFFFFFF, comp: eq)
It looks like the other end wants to setup an subnet to subnet tunnel, but libreswan was configured as a host to host tunnel ?
the other end is quiet, and we re-transmit our IKE_INIT packet:
| processing connection ikev2
| handling event EVENT_v2_RETRANSMIT for 2001:db8:f:1::1 "ikev2" #2 attempt 1 of 0
| sending 244 bytes for EVENT_v2_RETRANSMIT through p6p1:500 to 2001:db8:f:1::1:500 (using #2)
This is why you see the wrong IKE Exchange packet.
Can you tell me more about the test configuration or what the other end is expecting from us?
Based on:
> conn ikev2
> left=2001:0db8:0001:0001::1234
> right=2001:0db8:000f:0001::1
> leftid=2001:0db8:0001:0001::1234
> rightid=2001:0db8:000f:0001::1
> type=tunnel
> auto=start
> connaddrfamily=ipv6
> authby=secret
> phase2=esp
> phase2alg=3des-sha1
> ike=3des-sha1;modp1024
> ikev2=insist
it seems you need to add a rightsubnet= and leftsubnet= line with the respective IPv6 ranges. Based on the mismatch, try:
rightsubnet=2001:db8:f:1::0/64
leftsubnet=2001:db8:1:1::0/64
now i see: First Traffic Selector: NG saddr: (received: 20010DB8 00010001 00000000 00000000, expected: 20010DB8 00010001 00000000 00001234, comp: eq) NG eaddr: (received: 20010DB8 00010001 FFFFFFFF FFFFFFFF, expected: 20010DB8 00010001 00000000 00001234, comp: eq) so here it wants the host IP, not the subnet. Second Traffic Selector: NG saddr: (received: 20010DB8 000F0001 00000000 00000000, expected: 20010DB8 000F0002 00000000 00000000, comp: eq) NG eaddr: (received: 20010DB8 000F0001 FFFFFFFF FFFFFFFF, expected: 20010DB8 000F0002 FFFFFFFF FFFFFFFF, comp: eq) this seems to be a mismatch of 2001:db8:f:1::0/64 versus 2001:db8:f:2::0/64 It still seems to be a configuration mismatch Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. Since this bug has been closed, remove the needinfo flag. I will retest this bug later. |