[Swan] libreswan 3.17 NAT-T fails in phase2
Ge Xu
tobyfan1980 at gmail.com
Tue Jun 14 06:16:57 UTC 2016
I am testing a VPN behind of a NAT gateway. I tried libreswan 3.15 and 3.17
with same configuration. 3.15 succeeds, but 3.17 fails.
Here is ipsec.conf of the VPN endpoint behind NAT
config setup
protostack=klips
interfaces="ipsec0=eth0"
conn vpn-0
authby=secret
auto=start
left=<local ip>
leftid=<vpn peer ip public>
right=<vpn remote peer ip>
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
ikelifetime=28800s
salifetime=3600s
leftupdown=/var/run/updown.klips
dpddelay=15
dpdtimeout=25
dpdaction=hold
Then I run ipsec verify, and get
Version check and ipsec on-path [OK]
Libreswan 3.17 (klips) on 3.13.0-79-generic
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
KLIPS: IPsec SAref kernel support [N/A]
KLIPS: IPsec SAref Bind kernel support [N/A]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Looks OK. Then I ran ipsec status, I got
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,2112} attrs={0,2,1408}
000
000 Connection list:
000
000 "vpn-0": 0.0.0.0/0===10.0.0.1
<10.0.0.1>[10.2.128.241]...10.2.128.240<10.2.128.240>===0.0.0.0/0;
unrouted; eroute owner: #0
000 "vpn-0": oriented; my_ip=unset; their_ip=unset;
myup=/var/run/updown.klips
000 "vpn-0": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "vpn-0": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "vpn-0": labeled_ipsec:no;
000 "vpn-0": policy_label:unset;
000 "vpn-0": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn-0": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn-0": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;
000 "vpn-0": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn-0": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset;
sa_prio:auto; nflog-group: unset; mark: unset;
000 "vpn-0": dpd: action:hold; delay:15; timeout:75; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "vpn-0": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "vpn-0": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
000 "vpn-0": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "vpn-0": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "vpn-0": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
pfsgroup=MODP1024(2)
000 "vpn-0": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "vpn-0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_CRYPTO_FAILED in 54s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #1: "vpn-0":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 27801s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000
000 Bare Shunt list:
000
When I generate some traffic from remote peer, tcpdump shows the
encapsulated packet goes to the ipsec0 interface, but not decapped.
I was wondering if there is any change from 3.15 to 3.17 which makes my
ipsec.conf not working anymore.
Thanks for any suggestions and helps.
Toby
--
Ge (Toby) Xu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160613/7433459d/attachment.html>
More information about the Swan
mailing list