[Swan] NATD IP different than configured IP

Craig Marker cmarker at inspeednetworks.com
Mon Aug 27 19:03:03 UTC 2018


I recently experienced an issue where a SA was established even though the new NAT mapping (the NATD source IP) was a different IP address than what was configured in my ipsec.conf file. Is this expected? Is there something I’m doing in my configuration files to allow this? Could this be a bug?

Let me know if you need any more information. Most internal information has been altered.

--------- SERVER ---------
Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: responding to Main Mode
Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 26 20:24:53 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: Main mode peer ID is ID_FQDN: '@theleftid'
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: certificate CN=clientmachine,OU=Homebase,O="Craig Inc.",L=Seattle,ST=WA,C=US OK
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: I am sending my cert
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: new NAT mapping for #39953, was 1.2.3.4:500, now 1.2.3.5:5000
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39953: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: responding to Quick Mode proposal {msgid:fb13fae4}
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954:     us: 0.0.0.0/0===6.7.8.9<6.7.8.9>[C=US, ST=WA, L=Seattle, O=Craig Inc., OU=Homebase, CN=servermachine]
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954:   them: 1.2.3.4<1.2.3.4>[@theleftid]===0.0.0.0/0
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0xe49e0bdf <0x454f74aa xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=1.2.3.5:5000 DPD=passive}
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 26 20:24:54 serverhost pluto[1262]: "server" #39954: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xe49e0bdf <0x454f74aa xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=1.2.3.5:5000 DPD=passive}


# begin conn server
conn server
left=1.2.3.4
leftid="@theleftid"
leftsubnet=0.0.0.0/0
left=1.2.3.4
right=6.7.8.9
rightid="%fromcert"
rightsubnet=0.0.0.0/0
rightcert=servercert
right=6.7.8.9
rightupdown=/usr/libexec/ipsec/updownscript
rightcert=server
authby=rsasig
vti-routing=no
encapsulation=yes
keyingtries=0
mark=0x4000000/0xff000000
vti-interface=server
phase2alg=aes256-sha2_256
auto=ignore
type=tunnel
compress=no
pfs=yes
ikepad=yes
authby=rsasig
phase2=esp
ikev2=permit
esn=no
# end conn server

src 1.2.3.4 dst 6.7.8.9
proto esp spi 0x329b3575 reqid 16421 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x75bc3d06f3de2c7d08ba514615729504b4b22b0fd13d0e4c69e9aa952c8cae72 128
enc cbc(aes) 0x2594a6f6dc5d5d7165b2569b1c83c90154e564757cc3ad0e957d06be957863c9
encap type espinudp sport 5000 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xda9, oseq 0x0, bitmap 0xffffffff
src 6.7.8.9 dst 1.2.3.4
proto esp spi 0x9c1840e1 reqid 16421 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x7ff1a608ee118b28d1d0b22e7857713e0810189ab0be0c431e1f79cd0ffaad23 128
enc cbc(aes) 0xd9c5d46be698f49153700b6f20551e406362e2fd671c5cf99d050242e1bd8b71
encap type espinudp sport 4500 dport 5000 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xda0, bitmap 0x00000000

src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3136 ptype main
mark 67108864/0xff000000
tmpl src 6.7.8.9 dst 1.2.3.4
proto esp reqid 16421 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 3136 ptype main
mark 67108864/0xff000000
tmpl src 1.2.3.4 dst 6.7.8.9
proto esp reqid 16421 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 3136 ptype main
mark 67108864/0xff000000
tmpl src 1.2.3.4 dst 6.7.8.9
proto esp reqid 16421 mode tunnel


--------- CLIENT ---------
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: initiating Main Mode
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: I am sending my cert
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: I am sending a certificate request
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 26 20:24:53 clienthost pluto[19350]: "client" #664: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=WA, L=Seattle, O=Craig Inc., OU=Homebase, CN=servermachine'
Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: certificate CN=servermachine,OU=Homebase,O="Craig Inc.",L=Seattle,ST=WA,C=US OK
Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 26 20:24:54 clienthost pluto[19350]: "client" #664: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}
Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#664 msgid:fb13fae4 proposal=AES(12)_256-SHA2_256(5) pfsgroup=MODP2048}
Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 26 20:24:54 clienthost pluto[19350]: "client" #665: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x454f74aa <0xe49e0bdf xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}


# begin conn client
conn client
left=1.2.3.4
leftid="@theleftid"
leftsubnet=0.0.0.0/0
leftcert=clientcert
left=1.2.3.4
right=6.7.8.9
rightid="%fromcert"
rightsubnet=0.0.0.0/0
right=6.7.8.9
authby=rsasig
vti-routing=no
vti-shared=yes
encapsulation=yes
keyingtries=0
dpddelay=30
dpdtimeout=120
dpdaction=restart
mark=0x2000000/0xff000000
vti-interface=client
phase2alg=aes256-sha2_256
auto=ignore
type=tunnel
compress=no
pfs=yes
ikepad=yes
authby=rsasig
phase2=esp
ikev2=permit
esn=no
# end conn client

+ ip xfrm state
src 6.7.8.9 dst 1.2.3.4
proto esp spi 0x9c1840e1 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x7ff1a608ee118b28d1d0b22e7857713e0810189ab0be0c431e1f79cd0ffaad23 128
enc cbc(aes) 0xd9c5d46be698f49153700b6f20551e406362e2fd671c5cf99d050242e1bd8b71
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 1.2.3.4 dst 6.7.8.9
proto esp spi 0x329b3575 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x75bc3d06f3de2c7d08ba514615729504b4b22b0fd13d0e4c69e9aa952c8cae72 128
enc cbc(aes) 0x2594a6f6dc5d5d7165b2569b1c83c90154e564757cc3ad0e957d06be957863c9
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xce9, bitmap 0x00000000
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3136 ptype main
mark 33554432/0xff000000
tmpl src 1.2.3.4 dst 6.7.8.9
proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 3136 ptype main
mark 33554432/0xff000000
tmpl src 6.7.8.9 dst 1.2.3.4
proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 3136 ptype main
mark 33554432/0xff000000
tmpl src 6.7.8.9 dst 1.2.3.4
proto esp reqid 16389 mode tunnel

--
cm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180827/391833ad/attachment-0001.html>


More information about the Swan mailing list