[Swan] same LAN IP on different router connect to the road warrior VPN
Paul Wouters
paul at nohats.ca
Thu Aug 10 18:28:37 UTC 2017
On Wed, 19 Jul 2017, huajiguosy wrote:
> I have a single Road Warrior successfully connecting to a Libreswan gateway and communicating to the subnet behind the gateway securely. That roadwarrior is behind a firewall
> allowing all outbound port traffic and using NAT. So my roadwarrior has an IP address of 10.0.0.18. When another roadwarrior happens to be behind someone else's firewall and happens to
> get 10.0.0.18 also. Then we will get the following error: "route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route".
> Detail logs are pasted below.
The easiest fix is to use rightaddresspool= on the server and give each
client a unique IP address.
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
Ahh I see you already have that:
> protostack=netkey
> nhelpers=0
> interfaces=%defaultroute
> uniqueids=no
But you have uniquqids=no that interferes. Upgrade to 3.20 or 3.21 and
do not set uniqueids= as it is handling this for PSK automatically as
of libreswan 3.20
It might also help if you use a separate leftid= for the l2tp-psk and
the xauth-psk conns, so pluto can more quickly determine to switch to
the right connection.
Note that it might not fully fix your l2tp-psk conn running into this
issue and that logging of the connection name might not yet be accurate
when this happens. If that is the case, a workaround would be a second
IP on the server so that l2tp-psk and xauth-psk connect to a different
IP address.
Paul
> conn shared
> left=%defaultroute
> leftid=188.166.132.41
> right=%any
> encapsulation=yes
> authby=secret
> pfs=no
> rekey=no
> keyingtries=5
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
> phase2alg=3des-sha1,aes-sha1,aes-sha2
> sha2-truncbug=yes
>
> conn l2tp-psk
> auto=add
> leftprotoport=17/1701
> rightprotoport=17/%any
> type=transport
> phase2=esp
> also=shared
>
> conn xauth-psk
> auto=add
> leftsubnet=0.0.0.0/0
> rightaddresspool=172.18.0.10-172.18.255.250
> modecfgdns1=8.8.8.8
> modecfgdns2=8.8.4.4
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=file
> ike-frag=yes
> ikev2=never
> cisco-unity=yes
> also=shared
>
> # ipsec verify
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.19 (netkey) on 4.4.70+
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [OK]
> ICMP default/accept_redirects [OK]
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> Pluto ipsec.secret syntax [OK]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking 'prelink' command does not interfere with FIPS [OK]
> Checking for obsolete ipsec.conf options [OK]
>
> # uname -a
> Linux ubuntu-1gb-01 4.4.0-83 #1 SMP Mon Jul 17 15:58:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
> Detail logs:
>
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: responding to Main Mode from unknown peer 117.62.189.148
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R1: sent MR1, expecting MI2
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R2: sent MR2, expecting MI3
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.18'
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: switched from "xauth-psk"[4871] 117.62.189.148 to "xauth-psk"
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: deleting connection "xauth-psk"[4871] 117.62.189.148 instance with peer 117.62.189.148 {isakmp=#0/ipsec=#0}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: new NAT mapping for #7866, was 117.62.189.148:500, now 117.62.189.148:4500
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: Sending Username/Password request (XAUTH_R0)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: discarding duplicate packet; already STATE_XAUTH_R0
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: xauth_inR1(STF_OK)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute APPLICATION_VERSION received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_BANNER received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_DOMAIN received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_DO_PFS received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SAVE_PW received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_FW_TYPE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: modecfg_inR0(STF_OK)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: the peer proposed: 0.0.0.0/0:0/0 -> 172.18.0.21/32:0/0
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: responding to Quick Mode proposal {msgid:5ae99982}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: us: 0.0.0.0/0===128.199.157.10[MS+XS+S=C]
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: them: 117.62.189.148[10.0.0.18,+MC+XC+S=C]===172.18.0.21/32
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: deleting connection "xauth-psk"[2617] 122.96.85.17 instance with peer 122.96.85.17 {isakmp=#7859/ipsec=#7858}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active
> username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to ''
> pluto[20462]: message repeated 2 times: [ "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to '']
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none
> NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
>
>
>
>
>
>
>
>
>
More information about the Swan
mailing list