[Swan] libreswan 3.17 NAT-T fails in phase2

Ge Xu tobyfan1980 at gmail.com
Tue Jun 14 06:16:57 UTC 2016


I am testing a VPN behind of a NAT gateway. I tried libreswan 3.15 and 3.17
with same configuration. 3.15 succeeds, but 3.17 fails.

Here is ipsec.conf of the VPN endpoint behind NAT

config setup
        protostack=klips
        interfaces="ipsec0=eth0"
conn vpn-0
        authby=secret
        auto=start
        left=<local ip>
        leftid=<vpn peer ip public>
        right=<vpn remote peer ip>
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        ike=3des-sha1;modp1024
        phase2alg=3des-sha1;modp1024
        ikelifetime=28800s
        salifetime=3600s
        leftupdown=/var/run/updown.klips
        dpddelay=15
        dpdtimeout=25
        dpdaction=hold

Then I run ipsec verify, and get
Version check and ipsec on-path                         [OK]
Libreswan 3.17 (klips) on 3.13.0-79-generic
Checking for IPsec support in kernel                    [OK]
 KLIPS: checking for NAT Traversal support              [OK]
 KLIPS: checking for OCF crypto offload support         [N/A]
 KLIPS: IPsec SAref kernel support                      [N/A]
 KLIPS: IPsec SAref Bind kernel support                 [N/A]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Looks OK. Then I ran ipsec status, I got

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,2112} attrs={0,2,1408}
000
000 Connection list:
000
000 "vpn-0": 0.0.0.0/0===10.0.0.1
<10.0.0.1>[10.2.128.241]...10.2.128.240<10.2.128.240>===0.0.0.0/0;
unrouted; eroute owner: #0
000 "vpn-0":     oriented; my_ip=unset; their_ip=unset;
myup=/var/run/updown.klips
000 "vpn-0":   xauth us:none, xauth them:none,  my_username=[any];
their_username=[any]
000 "vpn-0":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "vpn-0":   labeled_ipsec:no;
000 "vpn-0":   policy_label:unset;
000 "vpn-0":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpn-0":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpn-0":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
fake_strongswan:no; send_vendorid:no;
000 "vpn-0":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpn-0":   conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset;
sa_prio:auto; nflog-group: unset; mark: unset;
000 "vpn-0":   dpd: action:hold; delay:15; timeout:75; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "vpn-0":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "vpn-0":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
000 "vpn-0":   IKE algorithms found:
 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "vpn-0":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "vpn-0":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
pfsgroup=MODP1024(2)
000 "vpn-0":   ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "vpn-0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_CRYPTO_FAILED in 54s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #1: "vpn-0":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 27801s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000
000 Bare Shunt list:
000


When I generate some traffic from remote peer, tcpdump shows the
encapsulated packet goes to the ipsec0 interface, but not decapped.

I was wondering if there is any change from 3.15 to 3.17 which makes my
ipsec.conf not working anymore.

Thanks for any suggestions and helps.

Toby

-- 
Ge (Toby) Xu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160613/7433459d/attachment.html>


More information about the Swan mailing list