Default ike version in AL2023 libreswan package

[densikat]

Hi All,

We tried to replace our Amazon Linux 2 instance that is running Libreswan with Amazon Linux 2023. We deployed this but the tunnel failed to come up with a NO_PROPOSAL_CHOSEN coming back from the Cisco side (we have the same libreswan config in use).

I am wondering what IKE version is the default for the libreswan package provided by AL2023?

Our logs seem to suggest IKEv2 is in use by default (the responder side is configured to use IKEv1, so I believe this would indeed cause a failure)

"vpn/1x25": added IKEv2 connection

The libreswan docs seem to suggest that IKEv1 is default if ikve2 parameter is not set (which we are not setting)

https://libreswan.org/man/ipsec.conf.5.html

I found another link from Redhat suggesting they set ikve2 as the default

https://access.redhat.com/solutions/5699991

So, I'm wondering if the AL2023 package is setting IKEv2 as the default? (we are on version 4.12-3.amzn2023.0.2)

[ozbenh]

Our package is based on Fedora and doesn't contain the RHEL patch to disable IKEv1 by default. Anything interesting in the logs ?

[swathipanneerselvam]

The file /etc/crypto-policies/back-ends/libreswan.config contains default connection settings for IPsec

conn %default
	ikev2=insist
	pfs=yes

which could be the issue here.

[densikat]

@ozbenh

Thanks for that, nothing particularly interesting (although I admit to not being a full time network admin, so I may be missing something)

The first mention of ikev2 is

Oct 30 22:12:58.530216: CAVP: IKEv2 key derivation with HMAC-SHA1

After that the tunnels begin being configured

Oct 30 22:12:58.543980: "vpn/1x1": IKE SA proposals (connection add)
Oct 30 22:12:58.544007: "vpn/1x1":   1:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP1536
Oct 30 22:12:58.544026: "vpn/1x1": Child SA proposals (connection add):
Oct 30 22:12:58.544030: "vpn/1x1":   1:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Oct 30 22:12:58.544049: "vpn/1x1": added IKEv2 connection

This is then repeated 25 times for the various tunnels

Then there is just this repeated for all the data tunnels waiting on the keying channel

Oct 30 22:12:58.554544: "vpn/1x24": queue Child SA; waiting on IKE SA "vpn/1x25" #1 negotiating with REMOTEVPNIP

and then the failures start

Oct 30 22:12:58.563278: "vpn/1x25" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; missing payloads: SA,KE,Ni

@swathipanneerselvam

Thanks for that, the file is present, from the quick bit of reading I've done it needs to be set as include in /etc/ipsec.conf though?

As per my config below, it's not set.

# /etc/ipsec.conf - Libreswan 4.0 configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
	logfile=/var/log/openswan.log
	protostack=netkey

include /etc/ipsec.d/*.conf

For reference,

Setting ikev2=never in my conf file does force ikev1. I am just interested in why I'm getting the ikev2 default (I don't have a test tunnel with this client, so I want to make sure I have coherent story before attempting the upgrade again)

[densikat]

Is this possibly just a case of out of date docs?

I found this libreswan/libreswan#588, which links to this commit libreswan/libreswan@80d78e1 which seems to set IKEv2 as the default.

There is a doc update here to say yes is the default for ikev2 - https://github.com/libreswan/libreswan/pull/589/files

But that's not reflected on the website - https://libreswan.org/man/ipsec.conf.5.html

[ozbenh]

That could well be indeed