regression: failing connection for clients with ikev1&psk (fritzbox)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
After upgrading from 18.04 to 22.04 fritzbox clients can't connect anymore.
apt-cache policy strongswan-starter => 5.9.5-2ubuntu2
22.04 relevant log part:
05[IKE] <Client-IP> is initiating a Aggressive Mode IKE_SA
05[IKE] <Client-IP> is initiating a Aggressive Mode IKE_SA
05[CFG] looking for pre-shared key peer configs matching <Host-IP>
05[CFG] selected peer config "<keyid>"
05[IKE] no shared key found for '%any'[<Host-IP>] - '<keyid>
05[IKE] no shared key found for <Host-IP> - <Client-IP>
18.04 relevant log part:
05[IKE] <Client-IP> is initiating a Aggressive Mode IKE_SA
16[CFG] looking for pre-shared key peer configs matching <Host-IP>
16[CFG] selected peer config "<keyid>"
16[ENC] generating AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D HASH ]
See also this similar Question:
https:/
Config is more less like this (actual config is using multiple levels of also="...")
conn vpn-conn-1
leftsubnet=
rightsubnet
rightdns=
right=%any
leftauth=psk
aggressive=yes
keyexchange
rightauth=psk
ike=
esp=
leftid=<keyid>
rightid=
rightsource
Workaround is using an Secret with a selector of %any. As this would require the same secret for all clients this is not very useful.
Also there is a second bug with the dpd-logic killing the connection. (After using a single secret for all clients) It seems the dpd packets are slightly different so that the client does not recognizes them anymore. Resulting in connection loss after ~3 minutes of inactivity depending on dpd settings.
DPD with 22.04 (broken):
08[ENC] generating INFORMATIONAL_V1 request 1052382832 [ HASH N(DPD) ]
08[NET] sending packet: from <Host-IP>[4500] to <Client-IP>[500] (92 bytes)
09[JOB] DPD check timed out, enforcing DPD action
DPD with 18.04 (working):
09[ENC] generating INFORMATIONAL_V1 request 1542446007 [ HASH N(DPD) ]
09[NET] sending packet: from <Host-IP>[4500] to <Client-IP>[4500] (92 bytes)
11[NET] received packet: from <Client-IP>[4500] to <Host-IP>[4500] (92 bytes)
11[ENC] parsed INFORMATIONAL_V1 response 1542446007 [ HASH N(DPD_ACK) ]
Downgrading the strongswan package-version to the 20.04 version fixes the shared key bug but not the dpd bug.
Downgrading to the 18.04. package-version fixes both but creates other bugs with windows-clients.
I've tried compiling without -flto like suggested in here https:/
Hello Tobias,
Thanks for filing this bug.
Would you be able to provide shorter reproducers for each of the issues you are experiencing (minimal setups and configuration files) so we can better assist in debugging and finding a root cause? Then when we can confirm we are dealing with 2 different issues, we can split this in 2 different bugs as well.