[Swan] same LAN IP on different router connect to the road warrior VPN
huajiguosy
huajiguosy at 163.com
Wed Jul 19 05:25:38 UTC 2017
hello,
I have a single Road Warrior successfully connecting to a Libreswan gateway and communicating to the subnet behind the gateway securely. That roadwarrior is behind a firewall allowing all outbound port traffic and using NAT. So my roadwarrior has an IP address of 10.0.0.18. When another roadwarrior happens to be behind someone else's firewall and happens to get 10.0.0.18 also. Then we will get the following error: "route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route". Detail logs are pasted below.
Looking forward to your reply. Thanks a lot.
#cat /etc/ipsec.conf
version 2.0
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.0.0/16,%v4:!172.18.0.0/16
protostack=netkey
nhelpers=0
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=188.166.132.41
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,aes-sha1,aes-sha2
sha2-truncbug=yes
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=172.18.0.10-172.18.255.250
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
ikev2=never
cisco-unity=yes
also=shared
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.19 (netkey) on 4.4.70+
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
# uname -a
Linux ubuntu-1gb-01 4.4.0-83 #1 SMP Mon Jul 17 15:58:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Detail logs:
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: responding to Main Mode from unknown peer 117.62.189.148
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.18'
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: switched from "xauth-psk"[4871] 117.62.189.148 to "xauth-psk"
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: deleting connection "xauth-psk"[4871] 117.62.189.148 instance with peer 117.62.189.148 {isakmp=#0/ipsec=#0}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: new NAT mapping for #7866, was 117.62.189.148:500, now 117.62.189.148:4500
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: Sending Username/Password request (XAUTH_R0)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: discarding duplicate packet; already STATE_XAUTH_R0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: xauth_inR1(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute APPLICATION_VERSION received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_BANNER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_DOMAIN received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_DO_PFS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SAVE_PW received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_FW_TYPE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: modecfg_inR0(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: the peer proposed: 0.0.0.0/0:0/0 -> 172.18.0.21/32:0/0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: responding to Quick Mode proposal {msgid:5ae99982}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: us: 0.0.0.0/0===128.199.157.10[MS+XS+S=C]
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: them: 117.62.189.148[10.0.0.18,+MC+XC+S=C]===172.18.0.21/32
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: deleting connection "xauth-psk"[2617] 122.96.85.17 instance with peer 122.96.85.17 {isakmp=#7859/ipsec=#7858}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to ''
pluto[20462]: message repeated 2 times: [ "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to '']
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170719/9af58502/attachment.html>
More information about the Swan
mailing list