Default ike version in AL2023 libreswan package

[densikat]

Hi All,

We tried to replace our Amazon Linux 2 instance that is running Libreswan with Amazon Linux 2023. We deployed this but the tunnel failed to come up with a NO_PROPOSAL_CHOSEN coming back from the Cisco side (we have the same libreswan config in use).

I am wondering what IKE version is the default for the libreswan package provided by AL2023?

Our logs seem to suggest IKEv2 is in use by default (the responder side is configured to use IKEv1, so I believe this would indeed cause a failure)

"vpn/1x25": added IKEv2 connection

The libreswan docs seem to suggest that IKEv1 is default if ikve2 parameter is not set (which we are not setting)

https://libreswan.org/man/ipsec.conf.5.html

I found another link from Redhat suggesting they set ikve2 as the default

https://access.redhat.com/solutions/5699991

So, I'm wondering if the AL2023 package is setting IKEv2 as the default? (we are on version 4.12-3.amzn2023.0.2)

[ozbenh]

Our package is based on Fedora and doesn't contain the RHEL patch to disable IKEv1 by default. Anything interesting in the logs ?

[swathipanneerselvam]

The file /etc/crypto-policies/back-ends/libreswan.config contains default connection settings for IPsec

conn %default
	ikev2=insist
	pfs=yes

which could be the issue here.