[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
Hao Chen
earthlovepython at outlook.com
Tue Nov 7 21:29:49 UTC 2017
Hi Paul:
Thanks for your help in advance. Sorry for late response. (looks like libreswan email server does NOT like attachments.)
After I applied the "source code change" which in you give me in https://lists.libreswan.org/pipermail/swan/2017/002368.html, and re-compile + re-install, still no luck. Same result as before.
By the way, I did sanity test by setting up "IPv4 transport mode" with another machine. It works.
Can you please double check again?
Thanks and regards
Hao Chen
I compared the cksum of "compiled pluto" and "running pluto". they are identical
============================
[root at xcvms196 libreswan-3.22]# ps -ef | grep pluto
root 14926 1 0 16:21 ? 00:00:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
root 15133 12522 0 16:33 pts/2 00:00:00 grep --color=auto pluto
[root at xcvms196 libreswan-3.22]# cksum /usr/local/libexec/ipsec/pluto
3392178695 5987616 /usr/local/libexec/ipsec/pluto
[root at xcvms196 libreswan-3.22]# cksum ./OBJ.linux.x86_64/programs/pluto/pluto
3392178695 5987616 ./OBJ.linux.x86_64/programs/pluto/pluto
My compiled libreswan configuration:
============================
[root at xcvms196 pluto]# /usr/local/libexec/ipsec/pluto --version
Libreswan 3.22 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)
"ip xfrm state" shows:
============================
[root at xcvms196 configs]# ip x s
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xf6ccf8cc reqid 16393 mode transport
replay-window 32
auth-trunc hmac(sha1) 0xb0e0f9ca309657046061dcd8d92d54b912972669 96
enc cbc(des3_ede) 0x42292459ae57b3ce22f34b45dd79eeaea83e504b5b1d96d2
encap type espinudp sport 40733 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x8655ecb3 reqid 16393 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x3cfc640908c17ba55bdbd569103ba80bec80fc9c 96
enc cbc(des3_ede) 0x9d4db591e647969c424645ce0ed8c6457508067bb5289506
encap type espinudp sport 4500 dport 40733 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xf38542b7 reqid 16389 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x7a56dd1293ca9f18b5b70fd2e777b4914cf8a38b 96
enc cbc(des3_ede) 0xaa5ac7da2b3cabdc592adf8addeac95ebc6fad6d31c2afb6
encap type espinudp sport 40731 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0xf830edac reqid 16389 mode transport
replay-window 32
auth-trunc hmac(sha1) 0x4d13eae0a52db253003992577a33a700b8b69ad9 96
enc cbc(des3_ede) 0x3c8f413929b9a33a0e466c4c6bbf3db499327f62cf29dc85
encap type espinudp sport 4500 dport 40731 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
[root at xcvms196 configs]#
"ip xfrm pol" shows:
==========================
[root at xcvms196 configs]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
dir out priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16393 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
dir in priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16393 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
dir out priority 2088 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
I also attached modified connections.c/h for your cross-check.
________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Tuesday, October 31, 2017 14:48
To: Hao Chen
Cc: swan at lists.libreswan.org
Subject: PATCH, was Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
On Tue, 31 Oct 2017, Hao Chen wrote:
> [root at xcvms196 configs]# ip x p
> src 10.0.146.196/32 dst 10.0.161.34/32
> dir out priority 2080 ptype main
> mark -1/0xffffffff
Oops, it should never have -1 there. turned out we couldn't really
test for -1 because it is an unsigned int.
Please try the attached patch. It works for me on 3.22, but I think
it should work fine on 3.20 as well.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171107/3a7d2c27/attachment.html>
More information about the Swan
mailing list