[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Tony Whyman
tony.whyman at mccallumwhyman.com
Thu Feb 11 13:19:30 UTC 2016
Jacob,
I have a similar and working setup using Libreswan/Ubuntu. The main
difference is that I have the tunnels working peer-to-peer rather than
subnet-to-subnet and it may be worth your while testing and proving the
peer to peer case before moving to the subnet-to-subnet case.
Otherwise, I can only see two differences in the configuration:
1. You have used left/rightsourceip while I have not (probably not
significant).
2. In my case I have an asymmetric tunnel establishment i.e. one side
is "auto=add". This may be significant when it comes to the NAT
gateways. The passive side also has a dpdaction of clear.
The NAT gateways are also set up to forward all incoming port 500/4500
UDP to the secure gateways.
Good luck
Tony Whyman
On 11/02/16 12:59, Jacob Vind wrote:
> Hi,
>
> I really hope we can get some help, we are trying to set up a
> subnet-to-subnet Libreswan based IPSEC connection between two sites of
> ours. But we are having problems with it, we can get it to startup and
> working for a while (time varies from few minutes to hours). I hope
> someone will help review the config and log and come with suggestions.
>
> First a simple network diagram of the setup can be seen here:
> https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
>
> I figure that might make it easier to understand the setup. As you can
> see we operate with two private subnets on each side. Below are
> librewan config from left and right side (just edited so the public IP
> is not visible and not the entire key):
>
>
> LEFT:
>
> --- BEGIN ---
> conn adsubnets
> also=sj-dtu-tunnel
> leftsubnet=172.16.1.0/24
> leftsourceip=172.16.1.253
> rightsubnet=172.16.0.0/24
> rightsourceip=172.16.0.253
> forceencaps=yes
> nat-keepalive=yes
>
> conn sj-dtu-tunnel
> leftid=@SJ
> left=192.168.3.212
> leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
> rightid=@DTU
> right=77.X.X.X
> rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
> authby=rsasig
> # load and initiate automatically
> auto=start
> --- END ---
>
> The default gw of this machine is 192.168.3.254
>
>
> RIGHT:
>
>
> --- BEGIN ---
> conn adsubnets
> also=sj-dtu-tunnel
> leftsubnet=172.16.1.0/24
> leftsourceip=172.16.1.253
> rightsubnet=172.16.0.0/24
> rightsourceip=172.16.0.253
> forceencaps=yes
> nat-keepalive=yes
>
> conn sj-dtu-tunnel
> leftid=@SJ
> left=70.X.X.X
> leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
> rightid=@DTU
> right=192.168.13.238
> rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
> authby=rsasig
> # load and initiate automatically
> auto=start
> --- END ---
>
> The default gw of this machine is 192.168.13.254
> rightsourceip
> We have made iptables rules so UDP ports 4500 and 500 can pass all the
> way, of course both ways. Both ipsec routers are running Centos7, and
> we have installed your latest version 3.16-1 (we first tried with 3.15
> which ships with CentOS, had same failure with that.
>
> Below is some log from the left side machine, where I have included
> lines from around where it stops working and starts working again. We
> monitor with ping when it stops working, and it is not because the
> internet connection between the two sides are unavailable.
>
> Anything we are missing? Any input will be highly appreciated.
>
> Also please let me know if you need more information from me.
>
>
> Thanks.
>
> Best Regards
>
> Jacob Vind.
>
>
> Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating
> Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb 9 13:32 PING TO OTHER SIDE STOPS RESPONDING
>
> Feb 9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
> initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD= 77.X.X.X:4500 DPD=passive}
>
>
>
>
>
>
>
>
> Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating
> Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb 9 21:12 PING TO OTHER SIDE STARTS RESPONDING
>
>
> Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
> initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP/NAT=>0x8d372f11 <0xb0f75aac xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD= 77.X.X.X:4500 DPD=passive}
>
> Feb 9 21:16 PING TO OTHER SIDE STOPS RESPONDING
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list