[Swan] Roadwarriors Setup With Routing

Nirvana nirvana21 at gmail.com
Wed Oct 25 12:30:55 UTC 2017


This is first time I have used Libreswan so if I misunderstand anything,
please let me know. I am attempting to setup something similar to a
roadwarriors configuration. It looks like this:


mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static
IP) NAT <---------> server <--------> internal gateway <--------> internal
networks

My goal is to have the mobile client be able to communicate with the
multiple internal networks by utilizing static routes. So far I have only
been successful getting the client to be able to talk to one internal
network at time. I haven't had any authentication issues.

I have been configuring Libreswan using a combination of two samples to
utilize VTIs. In particular I have been referencing a Libreswan wiki (
https://libreswan.org/wiki/Route-based_VPN_using_VTI) and a RHEL
roadwarriors sample (
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks#Road_Warrior_Application_Using_Libreswan).
I am attempting to do this on CentOS 7.4 for both client and server with
libreswan-3.20-3.el7.x86_64 and iproute-3.10.0-87.el7.x86_64. Also worth
mentioning is that I am attempting to get this configuration working with
both SELinux enforcing and FIPS mode enabled.

Here is the configuration I have :

Server:
conn roadwarriors2
        ikev2=insist
        fragmentation=yes
        left=192.168.9.11
        leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24}
        leftcert=server
        leftid=external_static_ip #real IP removed
        leftxauthserver=yes
        leftmodecfgserver=yes
        right=%any
        rightca=%same
        rightaddresspool=192.168.9.12-192.168.9.14
        rightsubnet=192.168.9.0/24
        modecfgdns1=192.168.2.15
        rightxauthclient=yes
        rightmodecfgclient=yes
        authby=rsasig
        auto=add
        dpddelay=30
        dpdtimeout=120
        mark=12/0xffffffff
        leftvti=192.168.9.11/24
        vti-interface=vti9
        vti-routing=yes
        vti-shared=no

Client:
conn to-vpn-server2
       ikev2=insist
       left=%defaultroute
       leftcert=client
       leftid=%fromcert
       leftmodecfgclient=yes
       right=domain.tld #where domain.tld resolves to the
external_static_IP above
       rightsubnet=0.0.0.0/0
       rightca=%same
       authby=rsasig
       narrowing=yes
       auto=start
       mark=5/0xffffffff
       vti-interface=vti9
       vti-routing=yes
       vti-shared=no


I have been adding static routes on the client after the VPN is made (e.g.
ip route add 192.168.3.0/24 dev vti9). It appears to be the case that
whatever network is listed first under leftsubnets directive on the server
is the only network the client can communicate with. Furthermore if I sniff
the traffic on the client's VTI interface, I don't see any pings when I
attempt to ping a host on one of the other networks listed later in the
leftsubnets directive which suggests to me that I have misconfigured
Libreswan which is in turn not allowing that traffic to traverse the VPN.

Sorry if this is too verbose but here are the logs with some of the
addresses/identifiers obfuscated.

Server logs:
Oct 25 07:57:46 server pluto[14961]: FIPS Product: YES
Oct 25 07:57:46 server pluto[14961]: FIPS Kernel: YES
Oct 25 07:57:46 server pluto[14961]: FIPS Mode: YES
Oct 25 07:57:46 server pluto[14961]: NSS DB directory: sql:/etc/ipsec.d
Oct 25 07:57:46 server pluto[14961]: Initializing NSS
Oct 25 07:57:46 server pluto[14961]: Opening NSS database
"sql:/etc/ipsec.d" read-only
Oct 25 07:57:46 server pluto[14961]: NSS initialized
Oct 25 07:57:46 server pluto[14961]: NSS crypto library initialized
Oct 25 07:57:46 server pluto[14961]: FIPS HMAC integrity support [enabled]
Oct 25 07:57:46 server pluto[14961]: FIPS mode enabled for pluto daemon
Oct 25 07:57:46 server pluto[14961]: NSS library is running in FIPS mode
Oct 25 07:57:46 server pluto[14961]: FIPS HMAC integrity verification
self-test passed
Oct 25 07:57:46 server pluto[14961]: libcap-ng support [enabled]
Oct 25 07:57:46 server pluto[14961]: Linux audit support [enabled]
Oct 25 07:57:46 server pluto[14961]: Linux audit activated
Oct 25 07:57:46 server pluto[14961]: Starting Pluto (Libreswan Version 3.20
XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS
USE_SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT
XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:14961
Oct 25 07:57:46 server pluto[14961]: core dump dir: /var/run/pluto/
Oct 25 07:57:46 server pluto[14961]: secrets file: /etc/ipsec.secrets
Oct 25 07:57:46 server pluto[14961]: leak-detective enabled
Oct 25 07:57:46 server pluto[14961]: NSS crypto [enabled]
Oct 25 07:57:46 server pluto[14961]: XAUTH PAM support [enabled]
Oct 25 07:57:46 server pluto[14961]: NAT-Traversal support  [enabled]
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm camellia_ctr:
DISABLED; not FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm camellia: DISABLED;
not FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm serpent: DISABLED;
not FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm twofish: DISABLED;
not FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm twofish_ssh:
DISABLED; not FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm cast: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm null: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: HASH algorithm md5: DISABLED; not FIPS
compliant
Oct 25 07:57:46 server pluto[14961]: PRF algorithm md5: DISABLED; not FIPS
compliant
Oct 25 07:57:46 server pluto[14961]: INTEG algorithm md5: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: INTEG algorithm ripemd: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: DH algorithm MODP1024: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: DH algorithm MODP1536: DISABLED; not
FIPS compliant
Oct 25 07:57:46 server pluto[14961]: DH algorithm DH22: DISABLED; not FIPS
compliant
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_16:    IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_12:    IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_8:     IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT 3des_cbc:      IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_16:    IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_12:    IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_8:     IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ctr:       IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes:           IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_cbc)
Oct 25 07:57:46 server pluto[14961]: HASH sha:              IKEv1:
IKE         IKEv2:             FIPS  (sha1)
Oct 25 07:57:46 server pluto[14961]: HASH sha2_256:         IKEv1:
IKE         IKEv2:             FIPS  (sha2 sha256)
Oct 25 07:57:46 server pluto[14961]: HASH sha2_384:         IKEv1:
IKE         IKEv2:             FIPS  (sha384)
Oct 25 07:57:46 server pluto[14961]: HASH sha2_512:         IKEv1:
IKE         IKEv2:             FIPS  (sha512)
Oct 25 07:57:46 server pluto[14961]: PRF sha:               IKEv1:
IKE         IKEv2: IKE         FIPS  (sha1 hmac_sha1)
Oct 25 07:57:46 server pluto[14961]: PRF sha2_256:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha2 sha256 hmac_sha2_256)
Oct 25 07:57:46 server pluto[14961]: PRF sha2_384:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha384 hmac_sha2_384)
Oct 25 07:57:46 server pluto[14961]: PRF sha2_512:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha512 hmac_sha2_512)
Oct 25 07:57:46 server pluto[14961]: INTEG sha:             IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha1 sha1_96 hmac_sha1 hmac_sha1_96)
Oct 25 07:57:46 server pluto[14961]: INTEG sha2_512:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha512 hmac_sha2_512 hmac_sha2_512_256)
Oct 25 07:57:46 server pluto[14961]: INTEG sha2_384:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha384 hmac_sha2_384 hmac_sha2_384_192)
Oct 25 07:57:46 server pluto[14961]: INTEG sha2_256:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 hmac_sha2_256 hmac_sha2_256_128)
Oct 25 07:57:46 server pluto[14961]: INTEG aes_xcbc:        IKEv1:     ESP
AH  IKEv2:     ESP AH  FIPS  (aes_xcbc_96)
Oct 25 07:57:46 server pluto[14961]: INTEG aes_cmac:        IKEv1:     ESP
AH  IKEv2:     ESP AH  FIPS  (aes_cmac_96)
Oct 25 07:57:46 server pluto[14961]: DH MODP2048:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh14)
Oct 25 07:57:46 server pluto[14961]: DH MODP3072:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh15)
Oct 25 07:57:46 server pluto[14961]: DH MODP4096:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh16)
Oct 25 07:57:46 server pluto[14961]: DH MODP6144:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh17)
Oct 25 07:57:46 server pluto[14961]: DH MODP8192:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh18)
Oct 25 07:57:46 server pluto[14961]: DH DH19:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_256)
Oct 25 07:57:46 server pluto[14961]: DH DH20:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_384)
Oct 25 07:57:46 server pluto[14961]: DH DH21:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_521)
Oct 25 07:57:46 server pluto[14961]: DH DH23:               IKEv1:
IKE         IKEv2: IKE         FIPS
Oct 25 07:57:46 server pluto[14961]: DH DH24:               IKEv1:
IKE         IKEv2: IKE         FIPS
Oct 25 07:57:46 server pluto[14961]: starting up 1 crypto helpers
Oct 25 07:57:46 server pluto[14961]: started thread for crypto helper 0
(master fd 11)
Oct 25 07:57:46 server pluto[14961]: Using Linux XFRM/NETKEY IPsec
interface code on 3.10.0-693.2.2.el7.x86_64
Oct 25 07:57:46 server pluto[14961]: seccomp security for crypto helper not
supported
Oct 25 07:57:46 server pluto[14961]: | selinux support is enabled.
Oct 25 07:57:46 server pluto[14961]: systemd watchdog for ipsec service
configured with timeout of 200000000 usecs
Oct 25 07:57:46 server pluto[14961]: watchdog: sending probes every 100 secs
Oct 25 07:57:46 server pluto[14961]: seccomp security not supported
Oct 25 07:57:47 server pluto[14961]: added connection description
"roadwarriors2/1x0"
Oct 25 07:57:47 server pluto[14961]: added connection description
"roadwarriors2/2x0"
Oct 25 07:57:47 server pluto[14961]: added connection description
"roadwarriors2/3x0"
Oct 25 07:57:47 server pluto[14961]: listening for IKE messages
Oct 25 07:57:47 server pluto[14961]: adding interface eth0/eth0
192.168.9.11:500
Oct 25 07:57:47 server pluto[14961]: adding interface eth0/eth0
192.168.9.11:4500
Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo 127.0.0.1:500
Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo 127.0.0.1:4500
Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo ::1:500
Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:500
fd 21
Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:4500
fd 20
Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:500
fd 19
Oct 25 07:57:47 server pluto[14961]: | setup callback for interface
eth0:4500 fd 18
Oct 25 07:57:47 server pluto[14961]: | setup callback for interface
eth0:500 fd 17
Oct 25 07:57:47 server pluto[14961]: forgetting secrets
Oct 25 07:57:47 server pluto[14961]: loading secrets from
"/etc/ipsec.secrets"
Oct 25 07:57:47 server pluto[14961]: no secrets filename matched
"/etc/ipsec.d/*.secrets"
Oct 25 07:58:07 server pluto[14961]: packet from ${CLIENT_IP}:500:
roadwarriors2/1x0 IKE proposals for initial responder:
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
(default)
Oct 25 07:58:07 server pluto[14961]: packet from ${CLIENT_IP}:500: proposal
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;INTEG=NONE;DH=MODP2048 chosen
from:
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=NONE;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match]
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=NONE;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP1536
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP1536
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP}
#1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP}
#1: new NAT mapping for #1, was ${CLIENT_IP}:500, now ${CLIENT_IP}:4500
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP}
#1: certificate O=org,CN=client.domain.tld OK
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP}
#1: switched from "roadwarriors2/1x0"[1] ${CLIENT_IP} to "roadwarriors2/1x0"
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: deleting connection "roadwarriors2/1x0"[1] ${CLIENT_IP} instance with
peer ${CLIENT_IP} {isakmp=#0/ipsec=#0}
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=client.domain.tld, O=${org}'
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: roadwarriors2/1x0 ESP/AH proposals for responder:
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: proposal 1:ESP:SPI=2885fa7f;ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
chosen from: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED[first-match]
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: prepare-client output: vti interface "vti9" already exists with
conflicting setting (perhaps need vti-sharing=yes ?
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: route-client output: RTNETLINK answers: File exists
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#1: route-client output: done ip route
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#2: negotiated connection [192.168.2.0,192.168.2.255:0-65535 0] ->
[192.168.9.12,192.168.9.12:0-65535 0]
Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP}
#2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x2885fa7f
<0x6840586c xfrm=AES_GCM_C_256-NONE NATOA=none NATD=${CLIENT_IP}:4500
DPD=active}

Regarding the vti9 already exists entry: it appears that Libreswan doesn't
remove the interface when exiting which is why I think it is "in use". I
have been able to remove it manually using "ip link delete vti9".

Client logs:
Oct 25 07:57:58 client pluto[17544]: FIPS Product: YES
Oct 25 07:57:58 client pluto[17544]: FIPS Kernel: YES
Oct 25 07:57:58 client pluto[17544]: FIPS Mode: YES
Oct 25 07:57:58 client pluto[17544]: NSS DB directory: sql:/etc/ipsec.d
Oct 25 07:57:58 client pluto[17544]: Initializing NSS
Oct 25 07:57:58 client pluto[17544]: Opening NSS database
"sql:/etc/ipsec.d" read-only
Oct 25 07:57:58 client pluto[17544]: NSS initialized
Oct 25 07:57:58 client pluto[17544]: NSS crypto library initialized
Oct 25 07:57:58 client pluto[17544]: FIPS HMAC integrity support [enabled]
Oct 25 07:57:58 client pluto[17544]: FIPS mode enabled for pluto daemon
Oct 25 07:57:58 client pluto[17544]: NSS library is running in FIPS mode
Oct 25 07:57:58 client pluto[17544]: FIPS HMAC integrity verification
self-test passed
Oct 25 07:57:58 client pluto[17544]: libcap-ng support [enabled]
Oct 25 07:57:58 client pluto[17544]: Linux audit support [enabled]
Oct 25 07:57:58 client pluto[17544]: Linux audit activated
Oct 25 07:57:58 client pluto[17544]: Starting Pluto (Libreswan Version 3.20
XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS
USE_SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT
XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:17544
Oct 25 07:57:58 client pluto[17544]: core dump dir: /var/run/pluto/
Oct 25 07:57:58 client pluto[17544]: secrets file: /etc/ipsec.secrets
Oct 25 07:57:58 client pluto[17544]: leak-detective enabled
Oct 25 07:57:58 client pluto[17544]: NSS crypto [enabled]
Oct 25 07:57:58 client pluto[17544]: XAUTH PAM support [enabled]
Oct 25 07:57:58 client pluto[17544]: NAT-Traversal support  [enabled]
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm camellia_ctr:
DISABLED; not FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm camellia: DISABLED;
not FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm serpent: DISABLED;
not FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm twofish: DISABLED;
not FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm twofish_ssh:
DISABLED; not FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm cast: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm null: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: HASH algorithm md5: DISABLED; not FIPS
compliant
Oct 25 07:57:58 client pluto[17544]: PRF algorithm md5: DISABLED; not FIPS
compliant
Oct 25 07:57:58 client pluto[17544]: INTEG algorithm md5: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: INTEG algorithm ripemd: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: DH algorithm MODP1024: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: DH algorithm MODP1536: DISABLED; not
FIPS compliant
Oct 25 07:57:58 client pluto[17544]: DH algorithm DH22: DISABLED; not FIPS
compliant
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_16:    IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_12:    IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_8:     IKEv1:
ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT 3des_cbc:      IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_16:    IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_12:    IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_8:     IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ctr:       IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes:           IKEv1: IKE
ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_cbc)
Oct 25 07:57:58 client pluto[17544]: HASH sha:              IKEv1:
IKE         IKEv2:             FIPS  (sha1)
Oct 25 07:57:58 client pluto[17544]: HASH sha2_256:         IKEv1:
IKE         IKEv2:             FIPS  (sha2 sha256)
Oct 25 07:57:58 client pluto[17544]: HASH sha2_384:         IKEv1:
IKE         IKEv2:             FIPS  (sha384)
Oct 25 07:57:58 client pluto[17544]: HASH sha2_512:         IKEv1:
IKE         IKEv2:             FIPS  (sha512)
Oct 25 07:57:58 client pluto[17544]: PRF sha:               IKEv1:
IKE         IKEv2: IKE         FIPS  (sha1 hmac_sha1)
Oct 25 07:57:58 client pluto[17544]: PRF sha2_256:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha2 sha256 hmac_sha2_256)
Oct 25 07:57:58 client pluto[17544]: PRF sha2_384:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha384 hmac_sha2_384)
Oct 25 07:57:58 client pluto[17544]: PRF sha2_512:          IKEv1:
IKE         IKEv2: IKE         FIPS  (sha512 hmac_sha2_512)
Oct 25 07:57:58 client pluto[17544]: INTEG sha:             IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha1 sha1_96 hmac_sha1 hmac_sha1_96)
Oct 25 07:57:58 client pluto[17544]: INTEG sha2_512:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha512 hmac_sha2_512 hmac_sha2_512_256)
Oct 25 07:57:58 client pluto[17544]: INTEG sha2_384:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha384 hmac_sha2_384 hmac_sha2_384_192)
Oct 25 07:57:58 client pluto[17544]: INTEG sha2_256:        IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 hmac_sha2_256 hmac_sha2_256_128)
Oct 25 07:57:58 client pluto[17544]: INTEG aes_xcbc:        IKEv1:     ESP
AH  IKEv2:     ESP AH  FIPS  (aes_xcbc_96)
Oct 25 07:57:58 client pluto[17544]: INTEG aes_cmac:        IKEv1:     ESP
AH  IKEv2:     ESP AH  FIPS  (aes_cmac_96)
Oct 25 07:57:58 client pluto[17544]: DH MODP2048:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh14)
Oct 25 07:57:58 client pluto[17544]: DH MODP3072:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh15)
Oct 25 07:57:58 client pluto[17544]: DH MODP4096:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh16)
Oct 25 07:57:58 client pluto[17544]: DH MODP6144:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh17)
Oct 25 07:57:58 client pluto[17544]: DH MODP8192:           IKEv1:
IKE         IKEv2: IKE         FIPS  (dh18)
Oct 25 07:57:58 client pluto[17544]: DH DH19:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_256)
Oct 25 07:57:58 client pluto[17544]: DH DH20:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_384)
Oct 25 07:57:58 client pluto[17544]: DH DH21:               IKEv1:
IKE         IKEv2: IKE         FIPS  (ecp_521)
Oct 25 07:57:58 client pluto[17544]: DH DH23:               IKEv1:
IKE         IKEv2: IKE         FIPS
Oct 25 07:57:58 client pluto[17544]: DH DH24:               IKEv1:
IKE         IKEv2: IKE         FIPS
Oct 25 07:57:58 client pluto[17544]: starting up 7 crypto helpers
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 0
(master fd 11)
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 1
(master fd 13)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 2
(master fd 15)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 3
(master fd 17)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 4
(master fd 19)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 5
(master fd 21)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 6
(master fd 23)
Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not
supported
Oct 25 07:57:58 client pluto[17544]: Using Linux XFRM/NETKEY IPsec
interface code on 3.10.0-693.2.2.el7.x86_64
Oct 25 07:57:58 client pluto[17544]: | selinux support is enabled.
Oct 25 07:57:58 client pluto[17544]: systemd watchdog for ipsec service
configured with timeout of 200000000 usecs
Oct 25 07:57:58 client pluto[17544]: watchdog: sending probes every 100 secs
Oct 25 07:57:58 client pluto[17544]: seccomp security not supported
Oct 25 07:57:58 client polkitd[1559]: Unregistered Authentication Agent for
unix-process:17251:429153 (system bus name :1.173, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
(disconnected from bus)
Oct 25 07:57:59 client pluto[17544]: added connection description
"to-vpn-server2"
Oct 25 07:57:59 client pluto[17544]: listening for IKE messages
Oct 25 07:57:59 client pluto[17544]: adding interface virbr0/virbr0
192.168.122.1:500
Oct 25 07:57:59 client pluto[17544]: adding interface virbr0/virbr0
192.168.122.1:4500
Oct 25 07:57:59 client pluto[17544]: adding interface enp1s0f1/enp1s0f1
10.0.0.226:500
Oct 25 07:57:59 client pluto[17544]: adding interface enp1s0f1/enp1s0f1
10.0.0.226:4500
Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo 127.0.0.1:500
Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo 127.0.0.1:4500
Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo ::1:500
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:500
fd 35
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:4500
fd 34
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:500
fd 33
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface
enp1s0f1:4500 fd 32
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface
enp1s0f1:500 fd 31
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface
virbr0:4500 fd 30
Oct 25 07:57:59 client pluto[17544]: | setup callback for interface
virbr0:500 fd 29
Oct 25 07:57:59 client pluto[17544]: forgetting secrets
Oct 25 07:57:59 client pluto[17544]: loading secrets from
"/etc/ipsec.secrets"
Oct 25 07:57:59 client pluto[17544]: no secrets filename matched
"/etc/ipsec.d/*.secrets"
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output:
net.ipv4.conf.vti9.disable_policy = 1
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output:
net.ipv4.conf.vti9.rp_filter = 0
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output:
net.ipv4.conf.vti9.forwarding = 1
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output:
RTNETLINK answers: File exists
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output:
RTNETLINK answers: No such file or directory
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output:
done ip route
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #1: initiating v2 parent SA
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #1: to-vpn-server2 IKE proposals for initial
initiator (selecting KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
(default)
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #1: to-vpn-server2 ESP/AH proposals for initiator:
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: STATE_PARENT_I2: sent v2I2, expected v2R2
{auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: certificate O=org,CN=server.domain.tld OK
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: IKEv2 mode peer ID is ID_IPV4_ADDR:
'${external_static_ip}'
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: received INTERNAL_IP4_ADDRESS 192.168.9.12
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: received INTERNAL_IP4_DNS 192.168.2.10
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: prepare-client output: vti interface "vti9"
already exists with conflicting setting (perhaps need vti-sharing=yes ?
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: route-client output: done ip route
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: route-client output:
/usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 192.168.2.0/24
via 10.0.0.1 dev vti9  src 192.168.9.12" failed (RTNETLINK answers: Network
is unreachable)
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: negotiated connection
[192.168.9.12,192.168.9.12:0-65535
0] -> [192.168.2.0,192.168.2.255:0-65535 0]
Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1]
${external_static_ip} #2: STATE_V2_IPSEC_I: IPsec SA established tunnel
mode {ESP/NAT=>0x6840586c <0x2885fa7f xfrm=AES_GCM_C_256-NONE NATOA=none
NATD=${external_static_ip}:4500 DPD=passive}

I am not sure what the RTNETLINK answers errors are referencing.



Does anyone have any suggestions? Am I utilizing Libreswan wrong and
instead should be running L2TP over Libreswan? If you need more
information, I will gladly provide it.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171025/a61caa6f/attachment-0001.html>


More information about the Swan mailing list