[Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth
Tony Whyman
tony.whyman at mccallumwhyman.com
Wed Jun 15 22:07:00 UTC 2016
As I type, I am using 3.17 and currently have three clients all behind
the same NAT router all with active ipsec connections to two different
remote servers - and can ping both. This setup normally works fine,
although I have noticed the occasional confusion which usually requires
a NAT router reset to resolve. It could be your problem is with the
router rather than libreswan.
There's nothing clever about my setup. A mix of Ubuntu 12.04 and 14.04
with basic road warrior setups. The server sides looks like this, with
netkey and nat-traversal:
conn server-side
authby=rsasig
type=tunnel
ike=3des-sha1;modp2048
phase2alg=3des-sha1;modp2048
dpddelay=30
dpdtimeout=120
left=<my ip>
leftcert="mycert"
leftrsasigkey=%cert
leftid=%fromcert
right=%any
dpdaction=clear
rightsubnet=vhost:%no,%priv
rightrsasigkey=%cert
rightid="C=GB,ST=here,L=there,O=myorg,OU=Road Warriors,CN=*"
auto=add
Client looks like:
conn client-side
authby=rsasig
type=tunnel
ike=3des-sha1;modp2048
phase2alg=3des-sha1;modp2048
dpddelay=30
dpdtimeout=120
dpdaction=restart
left=%defaultroute
leftcert="mycert"
leftrsasigkey=%cert
leftid=%fromcert
right=<my local ip>
rightrsasigkey=%cert
rightid="C=GB,ST=here,L=there,O=myorg,OU=Secure Web
Server,CN=MyRemoteServer"
auto=start
Hope this helps
On 15/06/16 22:22, Schmidt, Michael M wrote:
>
> Hi there,
>
>
> I am having the exact same problem as this guy did a couple years ago.
> Unfortunately it doesn't look like he received an answer.
>
>
> https://lists.libreswan.org/pipermail/swan/2014/000818.html
>
>
> Whenever a 2nd client connects that is behind the same public IP as
> the 1st client, the 1st client can no longer route packets across the
> tunnel. The IPSec connection stays connected, but pings/TCP
> connections are all dropped. The 2nd client has no problem until
> someone else tries to connect behind the same IP. There's nothing in
> the server-side logs that indicate Libreswan notices this.
>
>
> I've tried switching between auto=add and auto=route with no luck.
> Played with iptables a bit. Not really sure what else to do.
>
>
> I am on v3.17
>
>
> If you need more information, please let me know. I would really
> appreciate some help :)
>
>
> ## ipsec.conf ##
>
>
> config setup
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16
> protostack=netkey
> nhelpers=0
> interfaces=%defaultroute
> uniqueids=no
> plutostderrlog=/var/log/ipsec
>
> conn shared
> left=10.4.254.10
> leftid=X.X.X.X
> right=%any
> forceencaps=yes
> authby=secret
> pfs=no
> rekey=no
> keyingtries=5
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
> conn xauth-psk
> auto=route
> leftsubnet=10.4.0.0/16
> rightaddresspool=10.4.254.129-10.4.254.191
> modecfgdns1=10.4.0.10
> modecfgdns2=10.4.0.11
> modecfgdomain=X.X
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=pam
> ike-frag=yes
> ikev2=never
> cisco-unity=yes
> also=shared
>
> ## iptables ##
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [403:28020]
> :OUTPUT ACCEPT [403:28020]
> -A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10
> -A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none
> -j SNAT --to-source 10.4.254.10
> COMMIT
> *filter
> :INPUT ACCEPT [1711:674994]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2264:316654]
> :f2b-SSH - [0:0]
> -A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH
> -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j
> ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -j DROP
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED
> -j ACCEPT
> -A FORWARD -i ppp+ -o eth+ -j ACCEPT
> -A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT
> -A FORWARD -j DROP
> -A f2b-SSH -j RETURN
> COMMIT
>
>
> ## ipsec logs of two clients connecting from the same IP ##
>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to
> Main Mode from unknown peer <<PUBLIC NAT IP>>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:10: | ISAKMP Notification Payload
> Jun 14 16:13:10: | 00 00 00 1c 00 00 00 01 01 10 60 02
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer
> ID is ID_IPV4_ADDR: '10.32.32.55'
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from
> "xauth-psk"[1] <<PUBLIC NAT IP>> to "xauth-psk"
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting
> connection "xauth-psk" instance with peer <<PUBLIC NAT IP>>
> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping
> for #1, was <<PUBLIC NAT IP>>:118, now <<PUBLIC NAT IP>>:37467
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
> integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending
> Username/Password request (XAUTH_R0)
> Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login
> Jun 14 16:13:10: XAUTH: pam authentication being called to
> authenticate user <<CLIENT 1>>
> Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH:
> xauth_inR1(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from
> state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute APPLICATION_VERSION received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute MODECFG_BANNER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute MODECFG_DOMAIN received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_SPLIT_DNS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_SPLIT_INC received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_DO_PFS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_SAVE_PW received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_FW_TYPE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_BACKUP_SERVER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported
> modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:11: | We are not sending a banner
> Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from
> state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1:
> STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer
> proposed: 10.4.0.0/16:0/0 -> 10.4.254.129/32:0/0
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to
> Quick Mode proposal {msgid:1ada84a1}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: us:
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: them: <<PUBLIC
> NAT IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from
> state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1:
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode
> {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none
> NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2:
> IPsec SA established tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:37467
> DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of
> retransmissions (8) reached STATE_MAIN_R2
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state
> #1 (STATE_MAIN_R2)
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection
> "xauth-psk" instance with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to
> Main Mode from unknown peer <<PUBLIC NAT IP>>
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:29: | ISAKMP Notification Payload
> Jun 14 16:13:29: | 00 00 00 1c 00 00 00 01 01 10 60 02
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer
> ID is ID_IPV4_ADDR: '10.32.32.76'
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from
> "xauth-psk"[2] <<PUBLIC NAT IP>> to "xauth-psk"
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping
> for #3, was <<PUBLIC NAT IP>>:57, now <<PUBLIC NAT IP>>:29518
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
> integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending
> Username/Password request (XAUTH_R0)
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login
> Jun 14 16:13:36: XAUTH: pam authentication being called to
> authenticate user <<CLIENT 2>>
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH:
> xauth_inR1(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from
> state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute APPLICATION_VERSION received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute MODECFG_BANNER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute MODECFG_DOMAIN received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_SPLIT_DNS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_SPLIT_INC received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_DO_PFS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_SAVE_PW received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_FW_TYPE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_BACKUP_SERVER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported
> modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:36: | We are not sending a banner
> Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from
> state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3:
> STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer
> proposed: 10.4.0.0/16:0/0 -> 10.4.254.130/32:0/0
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to
> Quick Mode proposal {msgid:5a4c8ec3}
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: us:
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: them: <<PUBLIC
> NAT IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from
> state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1:
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode
> {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none
> NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>}
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2:
> IPsec SA established tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:29518
> DPD=active username=<<CLIENT 2>>}
>
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160615/19a1808f/attachment-0001.html>
More information about the Swan
mailing list