[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

Hao Chen earthlovepython at outlook.com
Tue Nov 7 21:29:49 UTC 2017 

Hi Paul:


Thanks for your help in advance.  Sorry for late response. (looks like libreswan email server does NOT like attachments.)


After I applied the "source code change" which in you give me in  https://lists.libreswan.org/pipermail/swan/2017/002368.html, and re-compile + re-install, still no luck. Same result as before.

By the way, I did sanity test by setting up "IPv4 transport mode" with another machine. It works.


Can you please double check again?



Thanks and regards


Hao Chen



I compared the cksum of "compiled pluto" and "running pluto". they are identical

============================

[root at xcvms196 libreswan-3.22]# ps -ef | grep pluto
root     14926     1  0 16:21 ?        00:00:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
root     15133 12522  0 16:33 pts/2    00:00:00 grep --color=auto pluto
[root at xcvms196 libreswan-3.22]# cksum /usr/local/libexec/ipsec/pluto
3392178695 5987616 /usr/local/libexec/ipsec/pluto
[root at xcvms196 libreswan-3.22]# cksum ./OBJ.linux.x86_64/programs/pluto/pluto
3392178695 5987616 ./OBJ.linux.x86_64/programs/pluto/pluto




My compiled libreswan configuration:

============================

[root at xcvms196 pluto]# /usr/local/libexec/ipsec/pluto --version

Libreswan 3.22 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)




"ip xfrm state" shows:

============================

[root at xcvms196 configs]# ip x s
src 10.0.161.34 dst 10.0.146.196
        proto esp spi 0xf6ccf8cc reqid 16393 mode transport
        replay-window 32
        auth-trunc hmac(sha1) 0xb0e0f9ca309657046061dcd8d92d54b912972669 96
        enc cbc(des3_ede) 0x42292459ae57b3ce22f34b45dd79eeaea83e504b5b1d96d2
        encap type espinudp sport 40733 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f
        sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
        proto esp spi 0x8655ecb3 reqid 16393 mode transport
        replay-window 32
        auth-trunc hmac(sha1) 0x3cfc640908c17ba55bdbd569103ba80bec80fc9c 96
        enc cbc(des3_ede) 0x9d4db591e647969c424645ce0ed8c6457508067bb5289506
        encap type espinudp sport 4500 dport 40733 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
        proto esp spi 0xf38542b7 reqid 16389 mode transport
        replay-window 32
        auth-trunc hmac(sha1) 0x7a56dd1293ca9f18b5b70fd2e777b4914cf8a38b 96
        enc cbc(des3_ede) 0xaa5ac7da2b3cabdc592adf8addeac95ebc6fad6d31c2afb6
        encap type espinudp sport 40731 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff
        sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
        proto esp spi 0xf830edac reqid 16389 mode transport
        replay-window 32
        auth-trunc hmac(sha1) 0x4d13eae0a52db253003992577a33a700b8b69ad9 96
        enc cbc(des3_ede) 0x3c8f413929b9a33a0e466c4c6bbf3db499327f62cf29dc85
        encap type espinudp sport 4500 dport 40731 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 10.0.146.196/32 dst 10.0.161.34/32
[root at xcvms196 configs]#




"ip xfrm pol" shows:

==========================

[root at xcvms196 configs]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
        dir out priority 2080 ptype main
        mark -1/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16393 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
        dir in priority 2080 ptype main
        mark -1/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16393 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
        dir out priority 2088 ptype main
        mark -1/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0



I also attached modified connections.c/h for your cross-check.






________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Tuesday, October 31, 2017 14:48
To: Hao Chen
Cc: swan at lists.libreswan.org
Subject: PATCH, was Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

On Tue, 31 Oct 2017, Hao Chen wrote:

> [root at xcvms196 configs]# ip x p
> src 10.0.146.196/32 dst 10.0.161.34/32
>         dir out priority 2080 ptype main
>         mark -1/0xffffffff

Oops, it should never have -1 there. turned out we couldn't really
test for -1 because it is an unsigned int.

Please try the attached patch. It works for me on 3.22, but I think
it should work fine on 3.20 as well.

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171107/3a7d2c27/attachment.html>

More information about the Swan mailing list