[Swan] Error ”cannot install eroute” when rekey/reconnect from the same IP (for L2TP)

Antonio Silva asilva at wirelessmundi.com
Fri May 8 16:48:32 EEST 2015


Sorry i forgot to attach the log when the plutodebug option is disable.

Regards,
António

On 05/08/2015 03:39 PM, Antonio Silva wrote:
> Hi,
>
> Not sure if this apply to me, i saw this same error in my log, "cannot 
> install eroute -- it is in use for "tunnel2-nat", when behind NAT i 
> tried to connect simultaneous users with windows and l2tp/ipsec
>
> I've installed libreswan 3.12.
>
> Is this setup possible?
>
> For openswan i found this 
> https://lists.openswan.org/pipermail/users/2014-July/023037.html , but 
> not sure if this apply to libreswan as well....
>
>
> ****
> My lab scenario to simulate a nat connection is very simple, two 
> virtual machines using wm on a debian box and them connect to the 
> remote ipsec server:
>
>
> WM host win8.1 [192.168.8.131]
>                                                 ----
>                                                       ---- 
> [192.168.8.1] HOST [192.168.10.25] -------    [192.168.10.254] SERVER
>                                                 --- -
> WM host win8.1 [192.168.8.129]
>
>
>
> Attach my configuration and the respective log files when try to connect.
>
> peer_one_connected.log.txt => peer one connected
> peer_two_fail_simultaneous_con.log.txt => peer two fail to connect
>
>
>
> Thanks for the help.
>
>
> regards,
> António
>
>
> On 12/16/2014 02:11 AM, Paul Wouters wrote:
>> On Fri, 12 Dec 2014, Elison Niven wrote:
>>
>>> Subject: [Swan] Error ”cannot install eroute” when rekey/reconnect 
>>> from the
>>>     same IP (for L2TP)
>>
>>> Is this fixed now ?
>>> https://lists.openswan.org/pipermail/users/2010-April/018685.html
>>
>> I changed this test case:
>>
>> https://github.com/libreswan/libreswan/tree/master/testing/pluto/l2tp-02-netkey 
>>
>>
>> to simulate your scenario using:
>>
>> ipsec auto --up north-east-l2tp
>> echo "c server" > /var/run/xl2tpd/l2tp-control
>> sleep 5
>> ipsec look
>> : ==== cut ====
>> cat /tmp/xl2tpd.log
>> : ==== tuc ====
>> ping -c 4 -n 192.0.2.254
>> # testing passthrough plaintext
>> echo quit | nc 192.0.2.254 22
>> ip addr show dev ppp0
>> sleep 5
>> echo "d server" > /var/run/xl2tpd/l2tp-control
>> ipsec auto --down north-east-l2tp
>> sleep 5
>> ipsec auto --up north-east-l2tp
>> echo "c server" > /var/run/xl2tpd/l2tp-control
>> sleep 5
>> ipsec look
>> echo done
>>
>> This worked fine. Both the first IPsec and PPP and the second IPsec and
>> PPP came up successfully. Since it uses RSA, I then modified it to use
>> PSK. But it still worked.
>>
>> Is there a chance you can try and test this with libreswan-3.12 ?
>>
>> Paul
>>
>>
>>  I'm not sure if that fully reproduced your
>> connection from behind NAT? This connection used RSA, not PSK.
>>
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>

-- 
---
António Silva

-------------- next part --------------
May  8 15:43:30 bitch ipsec__plutorun: Starting Pluto subsystem...
May  8 15:43:30 bitch pluto[28840]: nss directory plutomain: /etc/ipsec.d
May  8 15:43:30 bitch pluto[28840]: NSS Initialized
May  8 15:43:30 bitch pluto[28840]: libcap-ng support [disabled]
May  8 15:43:30 bitch pluto[28840]: FIPS HMAC integrity support [disabled]
May  8 15:43:30 bitch pluto[28840]: Linux audit support [disabled]
May  8 15:43:30 bitch pluto[28840]: Starting Pluto (Libreswan Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:28840
May  8 15:43:30 bitch pluto[28840]: core dump dir: /var/run/pluto
May  8 15:43:30 bitch pluto[28840]: secrets file: /etc/ipsec.secrets
May  8 15:43:30 bitch pluto[28840]: leak-detective disabled
May  8 15:43:30 bitch pluto[28840]: SAref support [disabled]: Protocol not available
May  8 15:43:30 bitch pluto[28840]: SAbind support [disabled]: Protocol not available
May  8 15:43:30 bitch pluto[28840]: NSS crypto [enabled]
May  8 15:43:30 bitch pluto[28840]: XAUTH PAM support [enabled]
May  8 15:43:30 bitch pluto[28840]:    NAT-Traversal support  [enabled]
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_AES_CTR: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
May  8 15:43:30 bitch pluto[28840]: starting up 3 crypto helpers
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 0 (master fd 6)
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 1 (master fd 8)
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 2 (master fd 10)
May  8 15:43:30 bitch pluto[28840]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.58
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_gcm_8: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_gcm_12: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating aes_gcm_16: Ok
May  8 15:43:31 bitch pluto[28840]: added connection description "tunnel1-nat"
May  8 15:43:31 bitch pluto[28840]: added connection description "tunnel1"
May  8 15:43:31 bitch pluto[28840]: listening for IKE messages
May  8 15:43:31 bitch pluto[28840]: adding interface eth2/eth2 192.168.3.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth2/eth2 192.168.3.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 192.168.11.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 192.168.11.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 192.168.10.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 192.168.10.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth0/eth0 10.10.0.1:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth0/eth0 10.10.0.1:4500
May  8 15:43:31 bitch pluto[28840]: adding interface lo/lo 127.0.0.1:500
May  8 15:43:31 bitch pluto[28840]: adding interface lo/lo 127.0.0.1:4500
May  8 15:43:31 bitch pluto[28840]: loading secrets from "/etc/ipsec.secrets"
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: received Vendor ID payload [RFC 3947]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: received Vendor ID payload [FRAGMENTATION]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring Vendor ID payload [Vid-Initial-Contact]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring Vendor ID payload [IKE CGA version 1]
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: responding to Main Mode from unknown peer 192.168.10.25
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: STATE_MAIN_R1: sent MR1, expecting MI2
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: peer behind NAT
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.131'
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: switched from "tunnel1-nat" to "tunnel1-nat"
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: deleting connection "tunnel1-nat" instance with peer 192.168.10.25 {isakmp=#0/ipsec=#0}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: new NAT mapping for #1, was 192.168.10.25:500, now 192.168.10.25:4500
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: the peer proposed: 192.168.10.254/32:17/0 -> 192.168.8.131/32:17/0
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: responding to Quick Mode proposal {msgid:01000000}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2:     us: vhost:?===192.168.10.254<192.168.10.254>:17/%any
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2:   them: 192.168.10.25[192.168.8.131]:17/1701
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x403b2214 <0x13dd2ad6 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.131 NATD=192.168.10.25:4500 DPD=active}
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: received Vendor ID payload [RFC 3947]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: received Vendor ID payload [FRAGMENTATION]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring Vendor ID payload [Vid-Initial-Contact]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring Vendor ID payload [IKE CGA version 1]
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: responding to Main Mode from unknown peer 192.168.10.25
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: STATE_MAIN_R1: sent MR1, expecting MI2
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 1: peer behind NAT
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: STATE_MAIN_R2: sent MR2, expecting MI3
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.8.129'
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: switched from "tunnel1-nat" to "tunnel1-nat"
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: new NAT mapping for #3, was 192.168.10.25:1, now 192.168.10.25:1024
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: the peer proposed: 192.168.10.254/32:17/0 -> 192.168.8.129/32:17/0
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: responding to Quick Mode proposal {msgid:01000000}
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4:     us: vhost:?===192.168.10.254<192.168.10.254>:17/%any
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4:   them: 192.168.10.25[192.168.8.129]:17/1701
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: cannot install eroute -- it is in use for "tunnel1-nat"[2] 192.168.10.25 #2
May  8 15:43:56 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: next payload type of ISAKMP Hash Payload has an unknown value: 94
May  8 15:43:56 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: malformed payload in packet


More information about the Swan mailing list