[Swan] libreswan/racoon interoperability problem with NAT-T

Xinwei Hong xhong at skytap.com
Fri Apr 7 23:16:10 UTC 2017


Thank you Paul.

I just upgraded it to 3.20. I built libreswan without specifying any
parameter. I don't need klips in my setting anyway. I also added
virtual-private=%v4:10.0.0.0/8. Still not working.
The NAT part, I'm not sure why you say that. I still see same "no suitable
connection for peer '10.0.3.3'" error, but I believe it's found inside of
isakmp pkts. I did tcpdump on both machines, the ip was nat'ed. e.g. only
see 10.0.3.3 on one side and 199.204.218.98 on the peer side.

I can upload new log if needed.

Thanks,
Xinwei



On Fri, Apr 7, 2017 at 1:57 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 7 Apr 2017, Xinwei Hong wrote:
>
> Thank you Paul. I tried ikepad=no, it does not work.Meanwhile, I tried to
>> setup natt between two mathine running libreswan. It also failed, but
>> probably for different reason.
>>
>> The log files are here:
>> https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0
>> https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0
>>
>
> Did you compile without KLIPS support? That broke NAT-T and was fixed in
> 3.19, while you are running 3.18.
>
> configs:
>> one side is nat'ed. 199.204.218.98 nat to 10.0.3.3
>>
>> config setup
>>         protostack=netkey
>>         plutodebug=all
>>         listen=10.0.3.3
>> conn conn_natt
>>         authby=secret
>>         left=10.0.3.3
>>         right=199.204.217.159
>>         ike=3des-md5;modp1024
>>         phase2alg=3des-md5;modp1024
>>         ikelifetime=28800s
>>         salifetime=3600s
>>         leftsubnet=10.0.0.0/24
>>         rightsubnet=10.0.1.0/24
>>         type=tunnel
>>         auto=start
>>
>>
>> on the peer:
>> config setup
>>         protostack=netkey
>>         plutodebug=all
>>         listen=199.204.217.159
>>
>
> This is missing a virtual-private=%v4:10.0.0.0/8
>
> conn conn_vpn-5483483-tunnel
>>         authby=secret
>>         left=199.204.217.159
>>         right=199.204.218.98
>>         ike=3des-md5;modp1024
>>         phase2alg=3des-md5;modp1024
>>         ikelifetime=28800s
>>         salifetime=3600s
>> conn conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24
>>         also=conn_vpn-5483483-tunnel
>>         leftsubnet=10.0.1.0/24
>>         rightsubnet=10.0.0.0/24
>>
>
> It's always a little tricky to build a subnet tunnel for the subnet you
> are. It should work but its easy for some tuning to be missing.
>
> Apr  7 12:14:07 xenial33 pluto[5964]: |    Notify Message Type:
>> INVALID_ID_INFORMATION (0x12)
>>
>
> The logs you posted show the original error being:
>
> Apr  7 19:14:07 vvr-10-69-244-11 pluto[24396]: vpn-5483483:
> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no
> suitable connection for peer '10.0.3.3'
>
> Looks like your 10.0.3.3 did not get NAT'ed to 199.204.218.98 and so the
> conncetion's right= IP value does not match the observed IP.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170407/44f0814e/attachment-0001.html>


More information about the Swan mailing list