[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working
Pontus Wiberg
pontus.wiberg at universumglobal.com
Fri Aug 22 11:51:48 EEST 2014
Finally my XAUTH configuration is working, however now I find myself stuck
on a NAT issue. I moved to Libreswan largely because of the
rightaddresspool options and because using XAUTH should support having
multiple clients behind the same NAT. Now I can't get that to work though,
I have two clients - I can connect the first successfully with user
"pontus", I can ping everything on the inside and it works perfectly
however as soon as one more client connects (user "andre") .. all tunnels
to that IP break, they do not disconnect but there is no connectivity
anywhere. Sometimes, although few, the new client will stay connected and
his tunnel will continue to work but the old client will still be without
connectivity.
*ipsec status*
000 #9: "roadwarrior"[2] 176.71.208.160:43070 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_EXPIRE in 3529s; newest IPSEC; eroute owner;
isakmp#8; idle; import:not set
000 #9: "roadwarrior"[2] 176.71.208.160 esp.30fab882 at 176.71.208.160
esp.96bed41e at 10.1.31.5 tun.0 at 176.71.208.160 tun.0 at 10.1.31.5 ref=0
refhim=4294901761 Traffic: ESPin=960B ESPout=1KB! ESPmax=4194303B
XAUTHuser=pontus
000 #8: "roadwarrior"[2] 176.71.208.160:43070 STATE_MODE_CFG_R1 (ModeCfg
Set sent, expecting Ack); EVENT_SA_EXPIRE in 86322s; newest ISAKMP;
lastdpd=2s(seq in:0 out:0); idle; import:not set
000 #11: "roadwarrior"[3] 176.71.208.160:43337 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_EXPIRE in 3555s; newest IPSEC; eroute owner;
isakmp#10; idle; import:not set
000 #11: "roadwarrior"[3] 176.71.208.160 esp.d668ea4c at 176.71.208.160
esp.4f0836e7 at 10.1.31.5 tun.0 at 176.71.208.160 tun.0 at 10.1.31.5 ref=0
refhim=4294901761 Traffic: ESPin=1KB ESPout=540B! ESPmax=4194303B
XAUTHuser=andre
000 #10: "roadwarrior"[3] 176.71.208.160:43337 STATE_MODE_CFG_R1 (ModeCfg
Set sent, expecting Ack); EVENT_SA_EXPIRE in 86344s; newest ISAKMP;
lastdpd=10s(seq in:0 out:0); idle; import:not set
*ipsec.conf*
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the
core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto
2010-12-21)
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then
mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems
(like openwrt)
plutostderrlog=/var/log/pluto.log
uniqueids=yes
conn roadwarrior
left=10.1.31.5
leftid=54.255.206.227
authby=secret
leftxauthserver=yes
leftsubnet=10.1.31.0/24
right=%any
rightid=%any
rightaddresspool=192.168.224.5-192.168.224.100
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
modecfgdns1=8.8.8.8
xauthby=file
pfs=no
rekey=no
auto=add
*plutodebug all*
"roadwarrior"[3] 176.71.208.160 #6: the peer proposed: 10.1.31.0/24:0/0 ->
192.168.224.6/32:0/0
| find_client_connection starting with roadwarrior
| looking for 10.1.31.0/24:0/0 -> 192.168.224.6/32:0/0
| concrete checking against sr#0 10.1.31.0/24 -> 192.168.224.6/32
| match_id a=172.20.10.3
| b=172.20.10.3
| results matched
| trusted_ca called with a=(empty) b=(empty)
| fc_try trying roadwarrior:10.1.31.0/24:0/0 -> 192.168.224.6/32:0/0 vs
roadwarrior:10.1.31.0/24:0/0 -> 192.168.224.6/32:0/0
| match_id a=172.20.10.3
| b=172.20.10.5
| results fail
| fc_try concluding with roadwarrior [128]
| fc_try roadwarrior gives roadwarrior
| concluding with d = roadwarrior
| client wildcard: no port wildcard: no virtual: no
| NAT-Traversal: received 0 NAT-OA.
| duplicating state object #6
| creating state object #7 at 0x7f19e64a5560
| processing connection roadwarrior[3] 176.71.208.160
| NAT-T RFC: Installing IPsec SA with ENCAP,
st->hidden_variables.st_nat_traversal is RFC 3947 (NAT-Traversal)+I am
behind NAT+peer behind NAT
"roadwarrior"[3] 176.71.208.160 #7: responding to Quick Mode proposal
{msgid:a49f2abd}
"roadwarrior"[3] 176.71.208.160 #7: us: 10.1.31.0/24===10.1.31.5
<10.1.31.5>[54.255.206.227,MS+XS+S=C]
"roadwarrior"[3] 176.71.208.160 #7: them:
176.71.208.160[172.20.10.3,+MC+XC+S=C]===192.168.224.6/32
| install_ipsec_sa() for #7: outbound only
| route owner of "roadwarrior"[3] 176.71.208.160 unrouted: NULL; eroute
owner: NULL
| could_route called for roadwarrior (kind=CK_INSTANCE)
| sr for #7: unrouted
| route owner of "roadwarrior"[3] 176.71.208.160 unrouted: NULL; eroute
owner: NULL
| route_and_eroute with c: roadwarrior (next: none) ero:null esr:{(nil)}
ro:null rosr:{(nil)} and state: 7
| eroute_connection add eroute 10.1.31.0/24:0 --0-> 192.168.224.6/32:0 =>
tun.0 at 176.71.208.160 (raw_eroute)
| satype(9) is not used in netlink_raw_eroute.
| raw_eroute result=1
| command executing up-client
| executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0'
PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5'
PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392'
PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='
192.168.224.6/32' PLUTO_PEER_CLIENT_NET='192.168.224.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1
| popen cmd is 916 chars long
| cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' PLUTO_:
| cmd( 80):INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160'
PLUTO_ME='10.1.31.5' PLUTO_MY_I:
| cmd( 160):D='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1.31.0:
| cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' P:
| cmd( 320):LUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160'
PLUTO_PEER_ID='172.20.10.3' PL:
| cmd( 400):UTO_PEER_CLIENT='192.168.224.6/32'
PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUTO_P:
| cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PL:
| cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT:
| cmd(
640):_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_ADD:
| cmd( 720):RFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_CISCO=:
| cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_:
| cmd( 880):NM_CONFIGURED='0' ipsec _updown 2>&1:
| route_and_eroute: firewall_notified: true
| command executing prepare-client
| executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0'
PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5'
PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392'
PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='
192.168.224.6/32' PLUTO_PEER_CLIENT_NET='192.168.224.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1
| popen cmd is 921 chars long
| cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' P:
| cmd( 80):LUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160'
PLUTO_ME='10.1.31.5' PLUTO:
| cmd( 160):_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1:
| cmd( 240):.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL=:
| cmd( 320):'0' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160'
PLUTO_PEER_ID='172.20.10.:
| cmd( 400):3' PLUTO_PEER_CLIENT='192.168.224.6/32'
PLUTO_PEER_CLIENT_NET='192.168.224.6' PL:
| cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL=':
| cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL:
| cmd(
640):+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CON:
| cmd( 720):N_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_C:
| cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' P:
| cmd( 880):LUTO_NM_CONFIGURED='0' ipsec _updown 2>&1:
| command executing route-client
| executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0'
PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5'
PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392'
PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='
192.168.224.6/32' PLUTO_PEER_CLIENT_NET='192.168.224.6'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1
| popen cmd is 919 chars long
| cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='roadwarrior' PLU:
| cmd( 80):TO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160'
PLUTO_ME='10.1.31.5' PLUTO_M:
| cmd( 160):Y_ID='54.255.206.227' PLUTO_MY_CLIENT='10.1.31.0/24'
PLUTO_MY_CLIENT_NET='10.1.3:
| cmd( 240):1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0:
| cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160'
PLUTO_PEER_ID='172.20.10.3':
| cmd( 400): PLUTO_PEER_CLIENT='192.168.224.6/32'
PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUT:
| cmd( 480):O_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0':
| cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+D:
| cmd(
640):ONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_:
| cmd( 720):ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre'
PLUTO_IS_PEER_CIS:
| cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLU:
| cmd( 880):TO_NM_CONFIGURED='0' ipsec _updown 2>&1:
| route_and_eroute: instance "roadwarrior"[3] 176.71.208.160, setting
eroute_owner {spd=0x7f19e64a3e00,sr=0x7f19e64a3e00} to #7 (was #0)
(newest_ipsec_sa=#0)
| inI2: instance roadwarrior[3], setting newest_ipsec_sa to #7 (was #0)
(spd.eroute=#7)
| complete state transition with STF_OK
"roadwarrior"[3] 176.71.208.160 #7: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2
| deleting event for #7
| inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for #7
| event added after event EVENT_REINIT_SECRET
| NAT-T: their IKE port is '500'
| NAT-T: forceencaps is 'disabled'
"roadwarrior"[3] 176.71.208.160 #7: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP/NAT=>0x2ac96c18 <0x5b22fabb xfrm=AES_256-HMAC_MD5
NATOA=none NATD=176.71.208.160:43337 DPD=passive XAUTHuser=andre}
| modecfg pull: quirk-poll policy:pull not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 0 messages from cryptographic helpers
| next event EVENT_NAT_T_KEEPALIVE in 13 seconds
| next event EVENT_NAT_T_KEEPALIVE in 13 seconds
Happy to provide more information if needed :)
thanks,
Pontus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140822/58484dc4/attachment-0001.html>
More information about the Swan
mailing list