[Swan] libreswan/racoon interoperability problem with NAT-T

Paul Wouters paul at nohats.ca
Fri Apr 7 20:57:51 UTC 2017 

On Fri, 7 Apr 2017, Xinwei Hong wrote:

> Thank you Paul. I tried ikepad=no, it does not work.Meanwhile, I tried to setup natt between two mathine running libreswan. It also failed, but probably for different reason.
> 
> The log files are here:
> https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0
> https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0

Did you compile without KLIPS support? That broke NAT-T and was fixed in
3.19, while you are running 3.18.

> configs:
> one side is nat'ed. 199.204.218.98 nat to 10.0.3.3
> 
> config setup
>         protostack=netkey
>         plutodebug=all
>         listen=10.0.3.3
> conn conn_natt
>         authby=secret
>         left=10.0.3.3
>         right=199.204.217.159
>         ike=3des-md5;modp1024
>         phase2alg=3des-md5;modp1024
>         ikelifetime=28800s
>         salifetime=3600s
>         leftsubnet=10.0.0.0/24
>         rightsubnet=10.0.1.0/24
>         type=tunnel
>         auto=start
> 
> 
> on the peer:
> config setup
>         protostack=netkey
>         plutodebug=all
>         listen=199.204.217.159

This is missing a virtual-private=%v4:10.0.0.0/8

> conn conn_vpn-5483483-tunnel
>         authby=secret
>         left=199.204.217.159
>         right=199.204.218.98
>         ike=3des-md5;modp1024
>         phase2alg=3des-md5;modp1024
>         ikelifetime=28800s
>         salifetime=3600s
> conn conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24
>         also=conn_vpn-5483483-tunnel
>         leftsubnet=10.0.1.0/24
>         rightsubnet=10.0.0.0/24

It's always a little tricky to build a subnet tunnel for the subnet you
are. It should work but its easy for some tuning to be missing.

> Apr  7 12:14:07 xenial33 pluto[5964]: |    Notify Message Type: INVALID_ID_INFORMATION (0x12)

The logs you posted show the original error being:

Apr  7 19:14:07 vvr-10-69-244-11 pluto[24396]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no suitable connection for peer '10.0.3.3'

Looks like your 10.0.3.3 did not get NAT'ed to 199.204.218.98 and so the
conncetion's right= IP value does not match the observed IP.

Paul

More information about the Swan mailing list