Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.
As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:
Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.
As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:
root@east01:~# service strongswan restart
root@east01:~# journalctl -u strongswan | tail
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] scheduling reauthentication in 9973s
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] maximum IKE_SA lifetime 10513s
Dec 20 18:14:36 east01 charon[2543]: 06[ENC] generating QUICK_MODE request 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 06[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (220 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[NET] received packet: from 169.254.6.2[500] to 169.254.6.1[500] (172 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] parsed QUICK_MODE response 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] generating QUICK_MODE request 2756199350 [ HASH ]
Dec 20 18:14:36 east01 charon[2543]: 05[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (60 bytes)
Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.
west01:
root@west01:~# grep foo /etc/hosts
169.254.6.1 foo.bar.org
root@west01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-base
authby=psk
keyexchange=ikev1
mobike=no
type=transport
left=169.254.6.2
conn lp-east01
also=lp-base
right=foo.bar.org
<email address hidden>
auto=add
conn lp-rw
also=lp-base
right=%any
auto=add
root@west01:~# cat /etc/ipsec.secrets
169.254.6.2 @foo.bar.org : PSK "PSK-EAST01"
%any : PSK "PSK-RW"
east01:
root@east01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-east01
authby=psk
keyexchange=ikev1
mobike=no
type=transport
left=169.254.6.2
right=foo.bar.org
<email address hidden>
auto=start
root@east01:~# cat /etc/ipsec.secrets
%any : PSK "PSK-EAST01"
When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect:
root@east01:~# service strongswan restart
root@east01:~# journalctl -fu strongswan | grep -m1 malformed
Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request
As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:
Verified with 5.3.5-1ubuntu3.5 on Xenial. Here is the testing procedure with east01 as the roadwarrior with IP 169.254.6.1 (foo.bar.org) and west01 as the concentrator with IP 169.254.6.2.
west01:
root@west01:~# grep foo /etc/hosts
169.254.6.1 foo.bar.org
root@west01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-base
authby=psk
keyexchange=ikev1
mobike=no
type=transport
left=169.254.6.2
conn lp-east01
also=lp-base
right=foo.bar.org
<email address hidden>
auto=add
conn lp-rw
also=lp-base
right=%any
auto=add
root@west01:~# cat /etc/ipsec.secrets
169.254.6.2 @foo.bar.org : PSK "PSK-EAST01"
%any : PSK "PSK-RW"
east01:
root@east01:~# cat /etc/ipsec.conf
# LP: #1734207
conn lp-east01
authby=psk
keyexchange=ikev1
mobike=no
type=transport
left=169.254.6.2
right=foo.bar.org
<email address hidden>
auto=start
root@east01:~# cat /etc/ipsec.secrets
%any : PSK "PSK-EAST01"
When west01 uses the unpatched package (5.3.5-1ubuntu3.4), east01 is unable to connect:
root@east01:~# service strongswan restart
root@east01:~# journalctl -fu strongswan | grep -m1 malformed
Dec 20 18:10:57 east01 charon[2318]: 06[IKE] ignore malformed INFORMATIONAL request
As soon as west01 is upgraded to the patched package (5.3.5-1ubuntu3.5), east01 connects:
root@east01:~# service strongswan restart
root@east01:~# journalctl -u strongswan | tail
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] scheduling reauthentication in 9973s
Dec 20 18:14:36 east01 charon[2543]: 06[IKE] maximum IKE_SA lifetime 10513s
Dec 20 18:14:36 east01 charon[2543]: 06[ENC] generating QUICK_MODE request 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 06[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (220 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[NET] received packet: from 169.254.6.2[500] to 169.254.6.1[500] (172 bytes)
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] parsed QUICK_MODE response 2756199350 [ HASH SA No ID ID ]
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[IKE] CHILD_SA lp-east01{1} established with SPIs ce97ae49_i c3036bc6_o and TS 169.254.6.1/32 === 169.254.6.2/32
Dec 20 18:14:36 east01 charon[2543]: 05[ENC] generating QUICK_MODE request 2756199350 [ HASH ]
Dec 20 18:14:36 east01 charon[2543]: 05[NET] sending packet: from 169.254.6.1[500] to 169.254.6.2[500] (60 bytes)