[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks

Tony Whyman tony.whyman at mccallumwhyman.com
Thu Feb 11 13:19:30 UTC 2016 

Jacob,

I have a similar and working setup using Libreswan/Ubuntu. The main 
difference is that I have the tunnels working peer-to-peer rather than 
subnet-to-subnet and it may be worth your while testing and proving the 
peer to peer case before moving to the subnet-to-subnet case.

Otherwise, I can only see two differences in the configuration:

1.     You have used left/rightsourceip while I have not (probably not 
significant).

2.    In my case I have an asymmetric tunnel establishment i.e. one side 
is "auto=add". This may be significant when it comes to the NAT 
gateways. The passive side also has a dpdaction of clear.

The NAT gateways are also set up to forward all incoming port 500/4500 
UDP to the secure gateways.

Good luck

Tony Whyman

On 11/02/16 12:59, Jacob Vind wrote:
> Hi,
>
> I really hope we can get some help, we are trying to set up a 
> subnet-to-subnet Libreswan based IPSEC connection between two sites of 
> ours. But we are having problems with it, we can get it to startup and 
> working for a while (time varies from few minutes to hours).  I hope 
> someone will help review the config and log and come with suggestions.
>
> First a simple network diagram of the setup can be seen here: 
> https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
>
> I figure that might make it easier to understand the setup. As you can 
> see we operate with two private subnets on each side. Below are 
> librewan config from left and right side (just edited so the public IP 
> is not visible and not the entire key):
>
>
> LEFT:
>
> --- BEGIN ---
> conn adsubnets
>     also=sj-dtu-tunnel
>     leftsubnet=172.16.1.0/24
>     leftsourceip=172.16.1.253
>     rightsubnet=172.16.0.0/24
>     rightsourceip=172.16.0.253
>     forceencaps=yes
>     nat-keepalive=yes
>
> conn sj-dtu-tunnel
>     leftid=@SJ
>     left=192.168.3.212
>     leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
>     rightid=@DTU
>     right=77.X.X.X
>     rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
>     authby=rsasig
>     # load and initiate automatically
>     auto=start
> --- END ---
>
> The default gw of this machine is 192.168.3.254
>
>
> RIGHT:
>
>
> --- BEGIN ---
> conn adsubnets
>     also=sj-dtu-tunnel
>     leftsubnet=172.16.1.0/24
>     leftsourceip=172.16.1.253
>     rightsubnet=172.16.0.0/24
>     rightsourceip=172.16.0.253
>     forceencaps=yes
>     nat-keepalive=yes
>
> conn sj-dtu-tunnel
>     leftid=@SJ
>     left=70.X.X.X
>     leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
>     rightid=@DTU
>     right=192.168.13.238
>     rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
>     authby=rsasig
>     # load and initiate automatically
>     auto=start
> --- END ---
>
> The default gw of this machine is 192.168.13.254
> rightsourceip
> We have made iptables rules so UDP ports 4500 and 500 can pass all the 
> way, of course both ways. Both ipsec routers are running Centos7, and 
> we have installed your latest version 3.16-1 (we first tried with 3.15 
> which ships with CentOS, had same failure with that.
>
> Below is some log from the left side machine, where I have included 
> lines from around where it stops working and starts working again. We 
> monitor with ping when it stops working, and it is not because the 
> internet connection between the two sides are unavailable.
>
> Anything we are missing? Any input will be highly appreciated.
>
> Also please let me know if you need more information from me.
>
>
> Thanks.
>
> Best Regards
>
> Jacob Vind.
>
>
> Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating 
> Quick Mode 
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
> to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults 
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition 
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: 
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
> {ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none 
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb  9 13:32 PING TO OTHER SIDE STOPS RESPONDING
>
> Feb  9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
> initiating Quick Mode 
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
> to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults 
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
> {ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none 
> NATD= 77.X.X.X:4500 DPD=passive}
>
>
>
>
>
>
>
>
> Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating 
> Quick Mode 
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
> to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults 
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition 
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: 
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
> {ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none 
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb  9 21:12 PING TO OTHER SIDE STARTS RESPONDING
>
>
> Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
> initiating Quick Mode 
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
> to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults 
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
> {ESP/NAT=>0x8d372f11 <0xb0f75aac xfrm=AES_128-HMAC_SHA1 NATOA=none 
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb  9 21:16 PING TO OTHER SIDE STOPS RESPONDING
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list