[Swan] Help configuring libreswan with XAUTH, NSS and remote clients (road warriors)

Enrico Brunetta enrico at bitproductions.com
Thu Sep 18 17:21:35 EEST 2014 

Paul,

I suspect it’s a routing/firewall issue, but I’m stuck trying to figure it out. 

As I stated originally, I had configured the VPN gateway on AWS to use pre-shared key like this:

my machine’s IP is 172.31.48.104

I wanted the l2tp to use 172.31.48.129 for the local IP and an IP range pool of 172.31.48.130-172.31.48.254


conn vpnpsk
  connaddrfamily=ipv4
  auto=add
  left=172.31.48.104
  leftid=54.84.104.104
  leftsubnet=172.31.48.104/32
  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

root at ip-172-31-48-104:/etc# cat /etc/xl2tpd/xl2tpd.conf
[global]
port = 1701

[lns default]
ip range = 172.31.48.130-172.31.48.254
local ip = 172.31.48.129
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

and these are my routes and iptables rules:

root at ip-172-31-48-104:/etc# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.48.1     0.0.0.0         UG        0 0          0 eth0
172.31.48.0     0.0.0.0         255.255.240.0   U         0 0          0 eth0

root at ip-172-31-48-104:/etc# cat /etc/iptables.rules 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ICMPALL - [0:0]
:ZREJ - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 255 -j ICMPALL
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
-A INPUT -j ZREJ
-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth+ -j ACCEPT
-A FORWARD -j ZREJ
-A ICMPALL -p icmp --fragment -j DROP        
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
-A ICMPALL -p icmp -j DROP
-A ZREJ -p tcp -j REJECT --reject-with tcp-reset 
-A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
-A ZREJ -j REJECT --reject-with icmp-proto-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.31.48.129/25 -o eth+ -j SNAT --to-source 172.31.48.104
COMMIT



I think now that l2tp is out of the question, I might have to change my fw rules?


Enrico.


On Sep 18, 2014, at 8:25 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 18 Sep 2014, Enrico Brunetta wrote:
> 
>> Now it looks like the connection is found but it fails differently:
>> 
>> Sep 18 11:53:58 ip-172-31-48-104 pluto[2054]: Starting Pluto (Libreswan Version 3.10 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:2054
> 
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [XAUTH]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Cisco-Unity]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [FRAGMENTATION 80000000]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: packet from 70.117.100.63:500: received Vendor ID payload [Dead Peer Detection]
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: responding to Main Mode from unknown peer 70.117.100.63
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Sep 18 11:54:07 ip-172-31-48-104 pluto[2054]: "xauth-rsa"[1] 70.117.100.63 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Sep 18 11:54:17 ip-172-31-48-104 pluto[2054]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 70.117.100.63 port 500, complainant 70.117.100.63: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> 
> This looks like a fragmentation issue, or MTU/firewall issue. Try
> ike-frag=force, as the cisco you are talking to seems to support
> FRAGMENTATION. If that fails, you can try to lower the mtu of your
> interface a little.
> 
> Paul

More information about the Swan mailing list