[Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth

Schmidt, Michael M Michael.Schmidt at ca.com
Wed Jun 15 21:55:18 UTC 2016 

Ah, thats good news that I'm not going crazy :) If I compile from the latest github release, is there something I can help test?

Thanks for all your help and hardwork. Opensource XAuth implementation is awesome. I remember just struggling with L2TP issues in the past and this is a real game changer.

Matt


________________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Wednesday, June 15, 2016 3:31:27 PM
To: Schmidt, Michael M
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth

On Wed, 15 Jun 2016, Schmidt, Michael M wrote:

We are working on a fix for that using the newly added marking feature
where you can set mark=%unique so that these conflicts won't cause any
more problems.

Paul

> Date: Wed, 15 Jun 2016 17:22:37
> From: "Schmidt, Michael M" <Michael.Schmidt at ca.com>
> To: "swan at lists.libreswan.org" <swan at lists.libreswan.org>
> Subject: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec /
>     xauth
>
>
> Hi there,
>
>
> I am having the exact same problem as this guy did a couple years ago. Unfortunately it doesn't
> look like he received an answer.
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.libreswan.org_pipermail_swan_2014_000818.html&d=DQIDAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=3ZEmpvXESQtWvu0aL_I4qASRFsk9V3_faih0y3kWhng&m=q9SRdfF1GxWLobaaJgGb1EPGR7DSD1c1MCBFPl4KXZI&s=dP5JaqACO0l-BEDTc0fDFagB-S-YqdYfVCz86m2FQcs&e=
>
>
> Whenever a 2nd client connects that is behind the same public IP as the 1st client, the 1st client
> can no longer route packets across the tunnel. The IPSec connection stays connected, but pings/TCP
> connections are all dropped. The 2nd client has no problem until someone else tries to connect
> behind the same IP. There's nothing in the server-side logs that indicate Libreswan notices this.
>
>
> I've tried switching between auto=add and auto=route with no luck. Played with iptables a bit. Not
> really sure what else to do.
>
>
> I am on v3.17
>
>
> If you need more information, please let me know. I would really appreciate some help :)
>
>
> ## ipsec.conf ##
>
>
> config setup
>   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16
>   protostack=netkey
>   nhelpers=0
>   interfaces=%defaultroute
>   uniqueids=no
>   plutostderrlog=/var/log/ipsec
>
> conn shared
>   left=10.4.254.10
>   leftid=X.X.X.X
>   right=%any
>   forceencaps=yes
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=5
>   dpddelay=30
>   dpdtimeout=120
>   dpdaction=clear
>
> conn xauth-psk
>   auto=route
>   leftsubnet=10.4.0.0/16
>   rightaddresspool=10.4.254.129-10.4.254.191
>   modecfgdns1=10.4.0.10
>   modecfgdns2=10.4.0.11
>   modecfgdomain=X.X
>   leftxauthserver=yes
>   rightxauthclient=yes
>   leftmodecfgserver=yes
>   rightmodecfgclient=yes
>   modecfgpull=yes
>   xauthby=pam
>   ike-frag=yes
>   ikev2=never
>   cisco-unity=yes
>   also=shared
>
> ## iptables ##
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [403:28020]
> :OUTPUT ACCEPT [403:28020]
> -A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10
> -A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source
> 10.4.254.10
> COMMIT
> *filter
> :INPUT ACCEPT [1711:674994]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2264:316654]
> :f2b-SSH - [0:0]
> -A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH
> -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -j DROP
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i ppp+ -o eth+ -j ACCEPT
> -A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT
> -A FORWARD -j DROP
> -A f2b-SSH -j RETURN
> COMMIT
>
>
> ## ipsec logs of two clients connecting from the same IP ##
>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to Main Mode from unknown peer
> <<PUBLIC NAT IP>>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring informational payload
> IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:10: | ISAKMP Notification Payload
> Jun 14 16:13:10: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer ID is ID_IPV4_ADDR:
> '10.32.32.55'
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from "xauth-psk"[1] <<PUBLIC NAT
> IP>> to "xauth-psk"
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting connection "xauth-psk" instance
> with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping for #1, was <<PUBLIC NAT
> IP>>:118, now <<PUBLIC NAT IP>>:37467
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending Username/Password request
> (XAUTH_R0)
> Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login
> Jun 14 16:13:10: XAUTH: pam authentication being called to authenticate user <<CLIENT 1>>
> Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: xauth_inR1(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_XAUTH_R1 to
> state STATE_MAIN_R3
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> APPLICATION_VERSION received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> MODECFG_BANNER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> MODECFG_DOMAIN received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_SPLIT_DNS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_SPLIT_INC received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_DO_PFS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_SAVE_PW received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_FW_TYPE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_BACKUP_SERVER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute
> CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:11: | We are not sending a banner
> Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_MODE_CFG_R0 to
> state STATE_MODE_CFG_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MODE_CFG_R1: ModeCfg Set sent,
> expecting Ack
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer proposed: 10.4.0.0/16:0/0 ->
> 10.4.254.129/32:0/0
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to Quick Mode proposal
> {msgid:1ada84a1}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:     us:
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:   them: <<PUBLIC NAT
> IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state STATE_QUICK_R0 to
> state STATE_QUICK_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2 tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1
> NATOA=none NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state STATE_QUICK_R1 to
> state STATE_QUICK_R2
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2: IPsec SA established tunnel
> mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT
> IP>>:37467 DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of retransmissions (8) reached
> STATE_MAIN_R2
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state #1 (STATE_MAIN_R2)
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection "xauth-psk" instance with
> peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to Main Mode from unknown peer
> <<PUBLIC NAT IP>>
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring informational payload
> IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:29: | ISAKMP Notification Payload
> Jun 14 16:13:29: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer ID is ID_IPV4_ADDR:
> '10.32.32.76'
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from "xauth-psk"[2] <<PUBLIC NAT
> IP>> to "xauth-psk"
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping for #3, was <<PUBLIC NAT
> IP>>:57, now <<PUBLIC NAT IP>>:29518
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending Username/Password request
> (XAUTH_R0)
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login
> Jun 14 16:13:36: XAUTH: pam authentication being called to authenticate user <<CLIENT 2>>
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: xauth_inR1(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_XAUTH_R1 to
> state STATE_MAIN_R3
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> APPLICATION_VERSION received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> MODECFG_BANNER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> MODECFG_DOMAIN received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_SPLIT_DNS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_SPLIT_INC received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_DO_PFS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_SAVE_PW received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_FW_TYPE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_BACKUP_SERVER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute
> CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:36: | We are not sending a banner
> Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_MODE_CFG_R0 to
> state STATE_MODE_CFG_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MODE_CFG_R1: ModeCfg Set sent,
> expecting Ack
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer proposed: 10.4.0.0/16:0/0 ->
> 10.4.254.130/32:0/0
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to Quick Mode proposal
> {msgid:5a4c8ec3}
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:     us:
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:   them: <<PUBLIC NAT
> IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state STATE_QUICK_R0 to
> state STATE_QUICK_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2 tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1
> NATOA=none NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>}
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state STATE_QUICK_R1 to
> state STATE_QUICK_R2
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2: IPsec SA established tunnel
> mode {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT
> IP>>:29518 DPD=active username=<<CLIENT 2>>}
>
>
>
>
>

More information about the Swan mailing list