[Swan] libreswan/racoon interoperability problem with NAT-T
Xinwei Hong
xhong at skytap.com
Thu Mar 30 20:20:56 UTC 2017
Hi,
I have a VPN setup between libreswan (pluto+netkey) and a racoon
(racoon+netkey), the racoon is behind a NAT device. The negotiation somehow
failed saying that "NAT-D payload #0 doesn't match"
On libreswan side, I have ipsec.conf
config setup
protostack=netkey
plutodebug=all
listen=10.2.128.240
dumpdir=/var/run/pluto
conn conn_vvr-0-ipsectunnel-0
authby=secret
left=10.2.128.240
right=10.2.128.241
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
ikelifetime=28800s
salifetime=3600s
dpddelay=15
dpdtimeout=25
dpdaction=hold
leftsubnet=10.100.0.0/24
rightsubnet=10.100.1.0/24
type=tunnel
auto=start
on racoon, we have racoon.conf
# Phase 1 (Main Mode) Configuration
remote 10.2.128.240 {
exchange_mode main;
proposal_check obey;
lifetime time 28800 seconds;
nat_traversal on;
#script "phase1-up.sh" phase1_up;
#script "phase1-down.sh" phase1_down;
dpd_delay 15; dpd_retry 5; dpd_maxfail 5;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group modp1024;
authentication_method pre_shared_key;
}
}
# Phase 2 (Quick Mode) Configuration/Proposal (for IPsec SA).
sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
pfs_group modp1024;
lifetime time 3600 seconds;
compression_algorithm deflate;
}
listen {
isakmp 10.0.0.1[500];
isakmp_natt 10.0.0.1[4500];
strict_address;
}
algorithms all match, but the third negotiation packet has problem.
Log message on racoon:
Mar 30 19:47:02 testhost-601-1 racoon: INFO: respond new phase 1
negotiation: 10.0.0.1[500]<=>10.2.128.240[500]
Mar 30 19:47:02 testhost-601-1 racoon: INFO: begin Identity Protection
mode.
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: DPD
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
FRAGMENTATION
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: RFC 3947
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Selected NAT-T
version: RFC 3947
Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing
10.0.0.1[500] with algo #2
*Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #0 doesn't
match *
Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing
10.2.128.240[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #1 verified
Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT detected: ME
Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing
10.2.128.240[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing
10.0.0.1[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: INFO: Adding remote and local NAT-D
payloads.
Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-T: ports changed to:
10.2.128.240[4500]<->10.0.0.1[4500]
Mar 30 19:47:02 testhost-601-1 racoon: INFO: KA list add:
10.0.0.1[4500]->10.2.128.240[4500]
*Mar 30 19:47:52 testhost-601-1 racoon: ERROR: phase1 negotiation failed
due to time up. 80b77211a2f1ddba:141872152ca7772f*
Mar 30 19:47:52 testhost-601-1 racoon: INFO: KA remove:
10.0.0.1[4500]->10.2.128.240[4500]
Mar 30 19:47:58 testhost-601-1 racoon: INFO: respond new phase 1
negotiation: 10.0.0.1[500]<=>10.2.128.240[500]
...
Log on libreswan side is attached.
Can somebody help check if anything is wrong? Is this scenario even
supported?
Thanks,
Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170330/27cc0cd3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.log
Type: application/octet-stream
Size: 227840 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170330/27cc0cd3/attachment-0001.obj>
More information about the Swan
mailing list