[Swan] libreswan/racoon interoperability problem with NAT-T

Xinwei Hong xhong at skytap.com
Thu Mar 30 20:20:56 UTC 2017 

Hi,

I have a VPN setup between libreswan (pluto+netkey) and a racoon
(racoon+netkey), the racoon is behind a NAT device. The negotiation somehow
failed saying that "NAT-D payload #0 doesn't match"

On libreswan side, I have ipsec.conf
config setup
        protostack=netkey
        plutodebug=all
        listen=10.2.128.240
        dumpdir=/var/run/pluto
conn conn_vvr-0-ipsectunnel-0
        authby=secret
        left=10.2.128.240
        right=10.2.128.241
        ike=3des-sha1;modp1024
        phase2alg=3des-sha1;modp1024
        ikelifetime=28800s
        salifetime=3600s
        dpddelay=15
        dpdtimeout=25
        dpdaction=hold
        leftsubnet=10.100.0.0/24
        rightsubnet=10.100.1.0/24
        type=tunnel
        auto=start

on racoon, we have racoon.conf
# Phase 1 (Main Mode) Configuration
remote 10.2.128.240 {
 exchange_mode main;
 proposal_check obey;
 lifetime time 28800 seconds;
 nat_traversal on;
 #script "phase1-up.sh" phase1_up;
 #script "phase1-down.sh" phase1_down;
 dpd_delay 15; dpd_retry 5; dpd_maxfail 5;
 proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  dh_group modp1024;
  authentication_method pre_shared_key;
 }
}

# Phase 2 (Quick Mode) Configuration/Proposal (for IPsec SA).
sainfo anonymous {
 encryption_algorithm 3des;
 authentication_algorithm hmac_sha1;
 pfs_group modp1024;
 lifetime time 3600 seconds;
 compression_algorithm deflate;
}

listen {
  isakmp 10.0.0.1[500];
  isakmp_natt 10.0.0.1[4500];
  strict_address;
}

algorithms all match, but the third negotiation packet has problem.

Log message on racoon:

Mar 30 19:47:02 testhost-601-1 racoon: INFO: respond new phase 1
negotiation: 10.0.0.1[500]<=>10.2.128.240[500]
Mar 30 19:47:02 testhost-601-1 racoon: INFO: begin Identity Protection
mode.
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: DPD

Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
FRAGMENTATION
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID: RFC 3947

Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Mar 30 19:47:02 testhost-601-1 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Selected NAT-T
version: RFC 3947
Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing
10.0.0.1[500] with algo #2
*Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #0 doesn't
match *
Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing
10.2.128.240[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-D payload #1 verified

Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT detected: ME

Mar 30 19:47:02 testhost-601-1 racoon: [10.2.128.240] INFO: Hashing
10.2.128.240[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: [10.0.0.1] INFO: Hashing
10.0.0.1[500] with algo #2
Mar 30 19:47:02 testhost-601-1 racoon: INFO: Adding remote and local NAT-D
payloads.
Mar 30 19:47:02 testhost-601-1 racoon: INFO: NAT-T: ports changed to:
10.2.128.240[4500]<->10.0.0.1[4500]
Mar 30 19:47:02 testhost-601-1 racoon: INFO: KA list add:
10.0.0.1[4500]->10.2.128.240[4500]
*Mar 30 19:47:52 testhost-601-1 racoon: ERROR: phase1 negotiation failed
due to time up. 80b77211a2f1ddba:141872152ca7772f*
Mar 30 19:47:52 testhost-601-1 racoon: INFO: KA remove:
10.0.0.1[4500]->10.2.128.240[4500]
Mar 30 19:47:58 testhost-601-1 racoon: INFO: respond new phase 1
negotiation: 10.0.0.1[500]<=>10.2.128.240[500]
...

Log on libreswan side is attached.

Can somebody help check if anything is wrong? Is this scenario even
supported?


Thanks,
Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170330/27cc0cd3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.log
Type: application/octet-stream
Size: 227840 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170330/27cc0cd3/attachment-0001.obj>

More information about the Swan mailing list