Libreswan auto up issue

Question

I am having trouble with auto up and multiple connections. Using Libreswan 4.9 in Red Hat 8.8/8.9/8.10 OS on Azure Cloud. I have separate configs for each connection, all are the same with different IP and RSA sigs.

Conf:

conn A_B
    leftid=@west
    left=A.A.A.A
    leftrsasigkey=LLLL...
    rightid=@east
    right=B.B.B.B
    rightrsasigkey=RRRR....
    authby=rsasig
    # use auto=start when done testing the tunnel
    auto=start
    dpddelay=5
    dpdtimeout=30
    dpdaction=restart

Using systemctl to start/stop/restart works flawlessly for any one connection at a time. However, if there are multiple connections (A_C, A_D, etc) then only the one that is loaded first works.

I can manually use ipsec auto --add A_C then ipsec auto --up A_C and the tunnel works as expected and does not affect the one that came up automatically. It is only on system/service restart that the tunnels do not all connect automatically as expected.

Error in journal:

" #19: initiating IKEv2 connection
" #19: sent IKE_SA_INIT request to A.A.A.A:500
" #19: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
" #19: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
" #19: encountered fatal error in state STATE_V2_PARENT_I2
" #19: deleting state (STATE_V2_PARENT_I2) aged 0.015081s and NOT sending notification
" #19: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS

Result of ipsec verify

Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 4.9
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

score 0 · Answer 1 · answered Jan 28 '25 at 15:15

Turns out each conn, despite being named differently, also needs a unique left/rightid. Thus making the config more like this:

conn A_B
    leftid=@west_A_B
    left=A.A.A.A
    leftrsasigkey=LLLL...
    rightid=@east_A_B
    right=B.B.B.B
    rightrsasigkey=RRRR....
    authby=rsasig
    # use auto=start when done testing the tunnel
    auto=start
    dpddelay=5
    dpdtimeout=30
    dpdaction=restart

Libreswan auto up issue

1 Answers1