[Swan] same LAN IP on different router connect to the road warrior VPN

Paul Wouters paul at nohats.ca
Thu Aug 10 18:28:37 UTC 2017 

On Wed, 19 Jul 2017, huajiguosy wrote:

>     I have a single Road Warrior successfully connecting to a Libreswan gateway and communicating to the subnet behind the gateway securely. That roadwarrior is behind a firewall
> allowing all outbound port traffic and using NAT.  So my roadwarrior has an IP address of 10.0.0.18. When another roadwarrior happens to be behind someone else's firewall and happens to
> get 10.0.0.18 also. Then we will get the following error: "route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route".
> Detail logs are pasted below.

The easiest fix is to use rightaddresspool= on the server and give each
client a unique IP address.

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates

Ahh I see you already have that:

>   protostack=netkey
>   nhelpers=0
>   interfaces=%defaultroute
>   uniqueids=no

But you have uniquqids=no that interferes. Upgrade to 3.20 or 3.21 and
do not set uniqueids= as it is handling this for PSK automatically as
of libreswan 3.20

It might also help if you use a separate leftid= for the l2tp-psk and
the xauth-psk conns, so pluto can more quickly determine to switch to
the right connection.

Note that it might not fully fix your l2tp-psk conn running into this
issue and that logging of the connection name might not yet be accurate
when this happens. If that is the case, a workaround would be a second
IP on the server so that l2tp-psk and xauth-psk connect to a different
IP address.

Paul

> conn shared
>   left=%defaultroute
>   leftid=188.166.132.41
>   right=%any
>   encapsulation=yes
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=5
>   dpddelay=30
>   dpdtimeout=120
>   dpdaction=clear
>   ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
>   phase2alg=3des-sha1,aes-sha1,aes-sha2
>   sha2-truncbug=yes
> 
> conn l2tp-psk
>   auto=add
>   leftprotoport=17/1701
>   rightprotoport=17/%any
>   type=transport
>   phase2=esp
>   also=shared
> 
> conn xauth-psk
>   auto=add
>   leftsubnet=0.0.0.0/0
>   rightaddresspool=172.18.0.10-172.18.255.250
>   modecfgdns1=8.8.8.8
>   modecfgdns2=8.8.4.4
>   leftxauthserver=yes
>   rightxauthclient=yes
>   leftmodecfgserver=yes
>   rightmodecfgclient=yes
>   modecfgpull=yes
>   xauthby=file
>   ike-frag=yes
>   ikev2=never
>   cisco-unity=yes
>   also=shared
> 
> # ipsec verify
> Verifying installed system and configuration files
> 
> Version check and ipsec on-path                         [OK]
> Libreswan 3.19 (netkey) on 4.4.70+
> Checking for IPsec support in kernel                    [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects                    [OK]
>          ICMP default/accept_redirects                  [OK]
>          XFRM larval drop                               [OK]
> Pluto ipsec.conf syntax                                 [OK]
> Two or more interfaces found, checking IP forwarding    [OK]
> Checking rp_filter                                      [OK]
> Checking that pluto is running                          [OK]
>  Pluto listening for IKE on udp 500                     [OK]
>  Pluto listening for IKE/NAT-T on udp 4500              [OK]
>  Pluto ipsec.secret syntax                              [OK]
> Checking 'ip' command                                   [OK]
> Checking 'iptables' command                             [OK]
> Checking 'prelink' command does not interfere with FIPS [OK]
> Checking for obsolete ipsec.conf options                [OK]
> 
> # uname  -a
> Linux ubuntu-1gb-01 4.4.0-83 #1 SMP Mon Jul 17 15:58:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> 
> Detail logs:
> 
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: responding to Main Mode from unknown peer 117.62.189.148
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R1: sent MR1, expecting MI2
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R2: sent MR2, expecting MI3
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.18'
> pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: switched from "xauth-psk"[4871] 117.62.189.148 to "xauth-psk"
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: deleting connection "xauth-psk"[4871] 117.62.189.148 instance with peer 117.62.189.148 {isakmp=#0/ipsec=#0}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: new NAT mapping for #7866, was 117.62.189.148:500, now 117.62.189.148:4500
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: Sending Username/Password request (XAUTH_R0)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: discarding duplicate packet; already STATE_XAUTH_R0
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: xauth_inR1(STF_OK)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute APPLICATION_VERSION received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_BANNER received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute MODECFG_DOMAIN received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_DO_PFS received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_SAVE_PW received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_FW_TYPE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: modecfg_inR0(STF_OK)
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: the peer proposed: 0.0.0.0/0:0/0 -> 172.18.0.21/32:0/0
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: responding to Quick Mode proposal {msgid:5ae99982}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:     us: 0.0.0.0/0===128.199.157.10[MS+XS+S=C]
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:   them: 117.62.189.148[10.0.0.18,+MC+XC+S=C]===172.18.0.21/32
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: route to peer's client conflicts with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the route
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: deleting connection "xauth-psk"[2617] 122.96.85.17 instance with peer 122.96.85.17 {isakmp=#7859/ipsec=#7858}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active
> username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to ''
> pluto[20462]: message repeated 2 times: [ "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username changed from '' to '']
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none
> NATD=117.62.189.148:4500 DPD=active username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
> 
> 
> 
> 
> 
>  
> 
> 
>

More information about the Swan mailing list