David Morel

**Name of the Vulnerable Software and Affected Versions** Libreswan versions prior to 4.15 **Description** The issue is related to the Libreswan library, which is used for VPN protocols with "IPsec". It is caused by an assertion failure when handling IKEv1 packets without specifying an esp= line. When a peer requests AES-GMAC, libreswan's default proposal handler causes the failure, leading to a crash and restart. This issue does not affect IKEv2 connections. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Libreswan versions prior to 4.15, update to version 4.15 or later to resolve the issue. As a temporary workaround, consider disabling the use of IKEv1 without specifying an esp= line until a patch is available. Restrict access to the default proposal handler to minimize the risk of exploitation. Avoid using AES-GMAC with IKEv1 until the issue is resolved.