[Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth

Tony Whyman tony.whyman at mccallumwhyman.com
Wed Jun 15 22:07:00 UTC 2016


As I type, I am using 3.17 and currently have three clients all behind 
the same NAT router all with active ipsec connections to two different 
remote servers - and can ping both. This setup normally works fine, 
although I have noticed the occasional confusion which usually requires 
a NAT router reset to resolve. It could be your problem is with the 
router rather than libreswan.

There's nothing clever about my setup. A mix of Ubuntu 12.04 and 14.04 
with basic road warrior setups. The server sides looks like this, with 
netkey and nat-traversal:

conn server-side
     authby=rsasig
     type=tunnel
     ike=3des-sha1;modp2048
     phase2alg=3des-sha1;modp2048
     dpddelay=30
     dpdtimeout=120
     left=<my ip>
     leftcert="mycert"
     leftrsasigkey=%cert
     leftid=%fromcert
     right=%any
     dpdaction=clear
     rightsubnet=vhost:%no,%priv
     rightrsasigkey=%cert
     rightid="C=GB,ST=here,L=there,O=myorg,OU=Road Warriors,CN=*"
     auto=add

Client looks like:
conn client-side
     authby=rsasig
     type=tunnel
     ike=3des-sha1;modp2048
     phase2alg=3des-sha1;modp2048
     dpddelay=30
     dpdtimeout=120
     dpdaction=restart
     left=%defaultroute
     leftcert="mycert"
     leftrsasigkey=%cert
     leftid=%fromcert
     right=<my  local ip>
     rightrsasigkey=%cert
     rightid="C=GB,ST=here,L=there,O=myorg,OU=Secure Web 
Server,CN=MyRemoteServer"
     auto=start

Hope this helps

On 15/06/16 22:22, Schmidt, Michael M wrote:
>
> Hi there,
>
>
> I am having the exact same problem as this guy did a couple years ago. 
> Unfortunately it doesn't look like he received an answer.
>
>
> https://lists.libreswan.org/pipermail/swan/2014/000818.html
>
>
> Whenever a 2nd client connects that is behind the same public IP as 
> the 1st client, the 1st client can no longer route packets across the 
> tunnel. The IPSec connection stays connected, but pings/TCP 
> connections are all dropped. The 2nd client has no problem until 
> someone else tries to connect behind the same IP. There's nothing in 
> the server-side logs that indicate Libreswan notices this.
>
>
> I've tried switching between auto=add and auto=route with no luck. 
> Played with iptables a bit. Not really sure what else to do.
>
>
> I am on v3.17
>
>
> If you need more information, please let me know. I would really 
> appreciate some help :)
>
>
> ## ipsec.conf ##
>
>
> config setup
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16
>   protostack=netkey
>   nhelpers=0
>   interfaces=%defaultroute
>   uniqueids=no
>   plutostderrlog=/var/log/ipsec
>
> conn shared
>   left=10.4.254.10
>   leftid=X.X.X.X
>   right=%any
>   forceencaps=yes
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=5
>   dpddelay=30
>   dpdtimeout=120
>   dpdaction=clear
>
> conn xauth-psk
>   auto=route
>   leftsubnet=10.4.0.0/16
>   rightaddresspool=10.4.254.129-10.4.254.191
>   modecfgdns1=10.4.0.10
>   modecfgdns2=10.4.0.11
>   modecfgdomain=X.X
>   leftxauthserver=yes
>   rightxauthclient=yes
>   leftmodecfgserver=yes
>   rightmodecfgclient=yes
>   modecfgpull=yes
>   xauthby=pam
>   ike-frag=yes
>   ikev2=never
>   cisco-unity=yes
>   also=shared
>
> ## iptables ##
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [403:28020]
> :OUTPUT ACCEPT [403:28020]
> -A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10
> -A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none 
> -j SNAT --to-source 10.4.254.10
> COMMIT
> *filter
> :INPUT ACCEPT [1711:674994]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2264:316654]
> :f2b-SSH - [0:0]
> -A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH
> -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j 
> ACCEPT
> -A INPUT -p udp -m udp --dport 1701 -j DROP
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A FORWARD -m conntrack --ctstate INVALID -j DROP
> -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED 
> -j ACCEPT
> -A FORWARD -i ppp+ -o eth+ -j ACCEPT
> -A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT
> -A FORWARD -j DROP
> -A f2b-SSH -j RETURN
> COMMIT
>
>
> ## ipsec logs of two clients connecting from the same IP ##
>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to 
> Main Mode from unknown peer <<PUBLIC NAT IP>>
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from 
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1: 
> sent MR1, expecting MI2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from 
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2: 
> sent MR2, expecting MI3
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring 
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:10: | ISAKMP Notification Payload
> Jun 14 16:13:10: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer 
> ID is ID_IPV4_ADDR: '10.32.32.55'
> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from 
> "xauth-psk"[1] <<PUBLIC NAT IP>> to "xauth-psk"
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting 
> connection "xauth-psk" instance with peer <<PUBLIC NAT IP>> 
> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping 
> for #1, was <<PUBLIC NAT IP>>:118, now <<PUBLIC NAT IP>>:37467
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: 
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 
> integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
> Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending 
> Username/Password request (XAUTH_R0)
> Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login
> Jun 14 16:13:10: XAUTH: pam authentication being called to 
> authenticate user <<CLIENT 1>>
> Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: 
> xauth_inR1(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
> state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: 
> sent MR3, ISAKMP SA established
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute APPLICATION_VERSION received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute MODECFG_BANNER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute MODECFG_DOMAIN received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_SPLIT_DNS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_SPLIT_INC received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_DO_PFS received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_SAVE_PW received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_FW_TYPE received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_BACKUP_SERVER received.
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
> modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:11: | We are not sending a banner
> Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK)
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
> state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: 
> STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer 
> proposed: 10.4.0.0/16:0/0 -> 10.4.254.129/32:0/0
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to 
> Quick Mode proposal {msgid:1ada84a1}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:     us: 
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:   them: <<PUBLIC 
> NAT IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from 
> state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1: 
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode 
> {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none 
> NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from 
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2: 
> IPsec SA established tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:37467 
> DPD=active username=<<CLIENT 1>>}
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of 
> retransmissions (8) reached STATE_MAIN_R2
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state 
> #1 (STATE_MAIN_R2)
> Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection 
> "xauth-psk" instance with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0}
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to 
> Main Mode from unknown peer <<PUBLIC NAT IP>>
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from 
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1: 
> sent MR1, expecting MI2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from 
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2: 
> sent MR2, expecting MI3
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring 
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Jun 14 16:13:29: | ISAKMP Notification Payload
> Jun 14 16:13:29: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer 
> ID is ID_IPV4_ADDR: '10.32.32.76'
> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from 
> "xauth-psk"[2] <<PUBLIC NAT IP>> to "xauth-psk"
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping 
> for #3, was <<PUBLIC NAT IP>>:57, now <<PUBLIC NAT IP>>:29518
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: 
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 
> integ=OAKLEY_SHA2_256 group=MODP2048}
> Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3
> Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending 
> Username/Password request (XAUTH_R0)
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login
> Jun 14 16:13:36: XAUTH: pam authentication being called to 
> authenticate user <<CLIENT 2>>
> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: 
> xauth_inR1(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
> state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: 
> sent MR3, ISAKMP SA established
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute APPLICATION_VERSION received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute MODECFG_BANNER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute MODECFG_DOMAIN received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_SPLIT_DNS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_SPLIT_INC received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_DO_PFS received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_SAVE_PW received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_FW_TYPE received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_BACKUP_SERVER received.
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
> modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain
> Jun 14 16:13:36: | We are not sending a banner
> Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK)
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
> state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: 
> STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer 
> proposed: 10.4.0.0/16:0/0 -> 10.4.254.130/32:0/0
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to 
> Quick Mode proposal {msgid:5a4c8ec3}
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:     us: 
> 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:   them: <<PUBLIC 
> NAT IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from 
> state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1: 
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode 
> {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none 
> NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>}
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from 
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2: 
> IPsec SA established tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:29518 
> DPD=active username=<<CLIENT 2>>}
>
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160615/19a1808f/attachment-0001.html>


More information about the Swan mailing list