[Swan] same LAN IP on different router connect to the road warrior VPN

huajiguosy huajiguosy at 163.com
Wed Jul 19 05:25:38 UTC 2017 

hello, 


    I have a single Road Warrior successfully connecting to a Libreswan gateway and communicating to the subnet behind the gateway securely. That roadwarrior is behind a firewall allowing all outbound port traffic and using NAT.  So my roadwarrior has an IP address of 10.0.0.18. When another roadwarrior happens to be behind someone else's firewall and happens to get 10.0.0.18 also. Then we will get the following error: "route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route". Detail logs are pasted below.


Looking forward to your reply. Thanks a lot.




#cat /etc/ipsec.conf
version 2.0


config setup
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.0.0/16,%v4:!172.18.0.0/16
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute
  uniqueids=no


conn shared
  left=%defaultroute
  leftid=188.166.132.41
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
  phase2alg=3des-sha1,aes-sha1,aes-sha2
  sha2-truncbug=yes


conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared


conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=172.18.0.10-172.18.255.250
  modecfgdns1=8.8.8.8
  modecfgdns2=8.8.4.4
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared


# ipsec verify
Verifying installed system and configuration files


Version check and ipsec on-path                         [OK]
Libreswan 3.19 (netkey) on 4.4.70+
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]


# uname  -a
Linux ubuntu-1gb-01 4.4.0-83 #1 SMP Mon Jul 17 15:58:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


Detail logs:


pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: responding to Main Mode from unknown peer 117.62.189.148
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.18'
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: switched from "xauth-psk"[4871] 117.62.189.148 to "xauth-psk"
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: deleting connection "xauth-psk"[4871] 117.62.189.148 instance with peer 117.62.189.148 {isakmp=#0/ipsec=#0}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: new NAT mapping for #7866, was 117.62.189.148:500, now 117.62.189.148:4500
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: Sending Username/Password request (XAUTH_R0)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: discarding duplicate packet; already STATE_XAUTH_R0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: xauth_inR1(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute APPLICATION_VERSION received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_BANNER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_DOMAIN received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_DO_PFS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SAVE_PW received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_FW_TYPE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: modecfg_inR0(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: the peer proposed: 0.0.0.0/0:0/0 -> 172.18.0.21/32:0/0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: responding to Quick Mode proposal {msgid:5ae99982}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:     us: 0.0.0.0/0===128.199.157.10[MS+XS+S=C]
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:   them: 117.62.189.148[10.0.0.18,+MC+XC+S=C]===172.18.0.21/32
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: deleting connection "xauth-psk"[2617] 122.96.85.17 instance with peer 122.96.85.17 {isakmp=#7859/ipsec=#7858}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to ''
pluto[20462]: message repeated 2 times: [ "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to '']
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170719/9af58502/attachment.html>

More information about the Swan mailing list