[Swan] Answer packets not encrypted
Michael Schwartzkopff
ms at sys4.de
Tue Dec 9 22:01:01 EET 2014
Am Dienstag, 9. Dezember 2014, 11:40:43 schrieben Sie:
> On Mon, 8 Dec 2014, Michael Schwartzkopff wrote:
> > When I set up a ipsec transport connection from a client behind a NAT to
> > the VPN server, everything is OK if I use netkey.
> >
> > If I use klips or mast the answer pakets from the server to the client
> > (should be udp/4500 to the NAT IP adress) are not encrypted. They are
> > send our in plain. Any idea? Thanks.
>
> Double check that you are looking at the right interfaces and are
> generating traffic with the right IP addresses.
I put the VPN server in its own network only left with one default route.
Source address for the answer packet is correct.
> The kernel stacks should prevent plaintext packets when an IPsec policy
> is in place. The only way with KLIPS to circumvent that is to have some
> specific route that bypasses the ipsecX interface that is more specific
> than the existing routes into the ipsecX interface. So double check your
> routing table?
# ip r l
default via 192.168.56.1 dev eth2
192.168.56.0/24 dev eth2 proto kernel scope link src 192.168.56.102
# grep -v "^\W*#\|^$" /etc/ipsec.conf
config setup
protostack=klips
interfaces="%defaultroute"
dumpdir=/var/run/pluto/
nat_traversal=yes
conn test
type=transport
left=192.168.56.102
right=%any
auto=add
authby=secret
When I use protostack=klips it works after putting the server into its own
network. It creates a new ipsec0 interface and add the correct routing to the
routing table.
When I use mast (same config, protostack=mast) it does not work. Answer packets
leave the vpn server in plain text. there is not additional route via ipsec0
(or mast0) in the routing table.
What else can I provide, to help you debugging?
--- auth.log
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: responding to
Main Mode from unknown peer 192.168.88.130
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: STATE_MAIN_R1:
sent MR1, expecting MI2
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: STATE_MAIN_R2:
sent MR2, expecting MI3
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: Main mode peer
ID is ID_IPV4_ADDR: '192.168.88.130'
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP2048}
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #3: the peer
proposed: 192.168.56.102/32:0/0 -> 192.168.88.130/32:0/0
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4: responding to
Quick Mode proposal {msgid:2140a1ba}
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4: us:
192.168.56.102<192.168.56.102>
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4: them:
192.168.88.130
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 9 20:57:13 node2 pluto[4035]: "test"[2] 192.168.88.130 #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x04d748a9
<0x869baae8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
--- whack
# ipsec whack --status
000 using kernel interface: mast
000 interface mast0/eth2 192.168.56.102 at 4500
000 interface mast0/eth2 192.168.56.102 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets,
ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/lib/ipsec
000 pluto_version=3.12, pluto_vendorid=OE-Libreswan-3.12
000 nhelpers=-1, uniqueids=yes, force-busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
000 secctx-attr-value=<unsupported>
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8,
100.64.0.0/10, fd00::/8, fe80::/10
000 - excluded subnet: 192.168.56.0/24
(...)
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 Connection list:
000
000 "test": 192.168.56.102<192.168.56.102>...%any; unrouted; eroute owner: #0
000 "test": oriented; my_ip=unset; their_ip=unset
000 "test": xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "test": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "test": labeled_ipsec:no, loopback:no;
000 "test": policy_label:unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0;
000 "test": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "test": policy: PSK+ENCRYPT+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "test": conn_prio: 32,32; interface: eth2; metric: 0; mtu: unset;
sa_prio:auto;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test"[2]: 192.168.56.102<192.168.56.102>...192.168.88.130; unrouted;
eroute owner: #0
000 "test"[2]: oriented; my_ip=unset; their_ip=unset
000 "test"[2]: xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "test"[2]: modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "test"[2]: labeled_ipsec:no, loopback:no;
000 "test"[2]: policy_label:unset;
000 "test"[2]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0;
000 "test"[2]: sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "test"[2]: policy:
PSK+ENCRYPT+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "test"[2]: conn_prio: 32,32; interface: eth2; metric: 0; mtu: unset;
sa_prio:auto;
000 "test"[2]: newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "test"[2]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000 "test"[2]: ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 2, active 0
000
000 State list:
000
000 #4: "test"[2] 192.168.88.130:500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28375s; newest IPSEC; isakmp#3; idle; import:not set
000 #4: "test"[2] 192.168.88.130 esp.4d748a9 at 192.168.88.130
esp.869baae8 at 192.168.56.102 ref=4 refhim=3 Traffic:! ESPmax=4194303B
000 #3: "test"[2] 192.168.88.130:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3175s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:not set
000
000 Shunt list:
000
Thanks.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20141209/d6c19ad8/attachment.sig>
More information about the Swan
mailing list