[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks

Jacob Vind libreswan at harm.dk
Thu Feb 11 12:59:01 UTC 2016 

Hi,

I really hope we can get some help, we are trying to set up a 
subnet-to-subnet Libreswan based IPSEC connection between two sites of 
ours. But we are having problems with it, we can get it to startup and 
working for a while (time varies from few minutes to hours).  I hope 
someone will help review the config and log and come with suggestions.

First a simple network diagram of the setup can be seen here: 
https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA

I figure that might make it easier to understand the setup. As you can 
see we operate with two private subnets on each side. Below are librewan 
config from left and right side (just edited so the public IP is not 
visible and not the entire key):


LEFT:

--- BEGIN ---
conn adsubnets
     also=sj-dtu-tunnel
     leftsubnet=172.16.1.0/24
     leftsourceip=172.16.1.253
     rightsubnet=172.16.0.0/24
     rightsourceip=172.16.0.253
     forceencaps=yes
     nat-keepalive=yes

conn sj-dtu-tunnel
     leftid=@SJ
     left=192.168.3.212
     leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
     rightid=@DTU
     right=77.X.X.X
     rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
     authby=rsasig
     # load and initiate automatically
     auto=start
--- END ---

The default gw of this machine is 192.168.3.254


RIGHT:


--- BEGIN ---
conn adsubnets
     also=sj-dtu-tunnel
     leftsubnet=172.16.1.0/24
     leftsourceip=172.16.1.253
     rightsubnet=172.16.0.0/24
     rightsourceip=172.16.0.253
     forceencaps=yes
     nat-keepalive=yes

conn sj-dtu-tunnel
     leftid=@SJ
     left=70.X.X.X
     leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
     rightid=@DTU
     right=192.168.13.238
     rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
     authby=rsasig
     # load and initiate automatically
     auto=start
--- END ---

The default gw of this machine is 192.168.13.254

We have made iptables rules so UDP ports 4500 and 500 can pass all the 
way, of course both ways. Both ipsec routers are running Centos7, and we 
have installed your latest version 3.16-1 (we first tried with 3.15 
which ships with CentOS, had same failure with that.

Below is some log from the left side machine, where I have included 
lines from around where it stops working and starts working again. We 
monitor with ping when it stops working, and it is not because the 
internet connection between the two sides are unavailable.

Anything we are missing? Any input will be highly appreciated.

Also please let me know if you need more information from me.


Thanks.

Best Regards

Jacob Vind.


Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating 
Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}

Feb  9 13:32 PING TO OTHER SIDE STOPS RESPONDING

Feb  9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}








Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating 
Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}

Feb  9 21:12 PING TO OTHER SIDE STARTS RESPONDING


Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0x8d372f11 <0xb0f75aac xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}

Feb  9 21:16 PING TO OTHER SIDE STOPS RESPONDING

More information about the Swan mailing list