Ondrej Moris

@cagney We see this when connecting via NetworkManager-libreswan with the following (client) configuration to libreswan server (both sides libreswan-5): ``` ikev2 = insist left = 192.0.2.246 leftcert = hosta.example.org leftid...

Thanks for such a quick reply. So while trying to gather the answers, we somewhat isolated the problem. First of all, in the aforementioned scenario there are multiple connections loaded...

FYI the same scenario with libreswan-4.15 works just fine all the time, here's logs you asked for: Server: ``` Jan 27 12:22:40.100701: "hostb_conn_leftsubnet" #1: initiating IKEv2 connection Jan 27 12:22:40.104445:...

Hm, it looks a lot like what is tested in https://github.com/libreswan/libreswan/tree/main/testing/pluto/connalias-01-conflict but that would mean that pluto does not distinguish between out two connections although they have different left/right and...

@cagney I isolated my "problem" as follows: ``` # cat /etc/ipsec.conf conn test_ipv4 hostaddrfamily=ipv4 left=10.0.185.77 leftsubnet=192.0.3.0/24 right=10.0.186.77 rightsubnet=192.0.4.0/24 ikev2=insist authby=secret [email protected] [email protected] leftmodecfgserver=no rightmodecfgclient=no conn test_ipv6 left=2620:52:0:bb:f816:3eff:fe5f:8cea leftsubnet=192.0.3.0/24 right=2620:52:0:bb:f816:3eff:fe30:cbd5 rightsubnet=192.0.4.0/24...

Fair enough, Paul, so it is invalid configuration, it is a testing config anyway and I openend issue for nmstate (https://github.com/nmstate/nmstate/issues/2837). Thank you for the answer.

Notice that there are currently 4 failures in the external test. All of them happens only when the (pkcs11-provider) self-test is executed through `./test/run_tests.pl` in OpenSSL. This test driver seems...

Thank you all for such a quick and perfectly constructive feedback. I rebased the commit to include all the changes. Also I added test execution into GH actions workflow ci.yml...

Hm, I need to take another look into it I guess. Also, @beldmit suggested to separate the test. I'll do that too.

@cagney This seems to be the problem: https://github.com/libreswan/libreswan/blob/0aaf455d8770440a7f8ee578ba6373416f80abc9/programs/pluto/terminate.c#L160-L165 For CUCKOO_CHILD assertion must fail because: https://github.com/libreswan/libreswan/blob/0aaf455d8770440a7f8ee578ba6373416f80abc9/programs/pluto/visit_connection.c#L490 ``` c->established_ike_sa != SOS_NOBODY ``` Hence the assertion only makes sense for ORPHAN_CHILD.