[Swan] how to a remote subnet via a NAT connection ?

Jason Vas Dias jason.vas.dias at gmail.com
Tue Sep 29 17:24:46 UTC 2020 

Good day -

 I am trying to setup a VPN client connection from my local Linux Fedora 32
 host, with libreswan-3.32 installed, to a remote Linux Centos 7 host,
 with libreswan-3.23 installed and pluto server running.

 My local linux host gets its IP connection over WiFi from my mobile
 phone, so is NATed in the android mobile phone to its external
 carrier provided IP address.

 Happily, I can SSH in to the remote server, sudo to root, and inspect
 its 'ipsec barf' log, which unhappily doesn't help much.

 Roughly following the instructions at :
   https://libreswan.org/wiki/Subnet_to_subnet_VPN_with_PSK
 and
   https://linoxide.com/ubuntu-how-to/configure-ipsec-vpn-libreswan
 I have arrived at a configuration like this:


  /etc/ipsec.d/${tunnel-name}.secret:
  <quote>
  
   ${LOCAL_IP} ${REMOTE_HOST_IP} : PSK 0t${SECRET_PSK_KEY}
   @${VPN_USER_NAME} : XAUTH "${SECRET_PASSWORD}"

  </quote>

 The IP address details are elided, but my phone, which has
 external IP address '${PHONE_IP}', configures my wlp59s0
 wireless interface on my local linux box, which is the
 default route destination interface,  with
 ${LOCAL_IP} via DHCP, and I am trying to set up a
 VPN tunnel with ${REMOTE_HOST_IP} .

  /etc/ipsec.d/${tunnel-name}.conf:  
  <quote>
   config setup
      protostack=netkey

   conn ${tunnel-name}
      left=%defaultroute
      right=${REMOTE_HOST_IP}
      rightxauthserver=yes
      leftxauthclient=yes
      leftxauthusername=vpnuser
      rightsubnet=192.168.145.0/24
      rightsourceip=192.168.145.1
      leftsubnet=192.168.166.0/24
      leftsourceip=192.168.166.66
      # copied from server:
          authby=secret
          pfs=no
          sha2-truncbug=no
          encapsulation=yes
          rekey=no
          keyingtries=5
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear
          ike=aes256-sha2,aes256-sha1,aes256-sha2
          phase2alg=aes_gcm-null,aes256-sha1,aes256-sha2_512,aes256-sha2
          auto=ignore
          type=tunnel
          compress=no
          ikepad=yes
          phase2=esp
          ikev2=never
          ppk=no
          esn=no
   </quote>


   I arrived at this after inspecting the $REMOTE_HOST_IP server's 'ipsec barf' output,
   which contains:

   <quote>
     conn shared
     	left=%defaultroute
	leftid="${REMOTE_HOST_IP}"
	leftnexthop=%defaultroute
	left=%defaultroute
	right=%any
	authby=secret
	pfs=no
	sha2-truncbug=no
	encapsulation=yes
	rekey=no
	keyingtries=5
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
	phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
	auto=ignore
	type=tunnel
	compress=no
	pfs=no
	ikepad=yes
	authby=secret
	phase2=esp
	ikev2=never
	ppk=no
	esn=no
  <quote>

  libreswan-3.32 does not support the 'modp1024' or aes128 algorithms,
  so I removed them from the 'ike' and 'phase2alg' settings, to arrive
  at the settings used in   /etc/ipsec.d/${tunnel-name}.conf shown
  above.

  With this connection, the local linux host is able to make a
  tunnel:

  <quote>
       # ipsec auto --up ${tunnel-name} 
       002 "${tunnel-name}" #3: initiating Main Mode
       102 "${tunnel-name}" #3: STATE_MAIN_I1: sent MI1, expecting MR1
       104 "${tunnel-name}" #3: STATE_MAIN_I2: sent MI2, expecting MR2
       106 "${tunnel-name}" #3: STATE_MAIN_I3: sent MI3, expecting MR3
       002 "${tunnel-name}" #3: Peer ID is ID_IPV4_ADDR: '${REMOTE_HOST_IP}'
       004 "${tunnel-name}" #3: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
       002 "${tunnel-name}" #3: XAUTH: Answering XAUTH challenge with user='${VPN_USER}'
       004 "${tunnel-name}" #3: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
       002 "${tunnel-name}" #3: XAUTH: Successfully Authenticated
       002 "${tunnel-name}" #3: XAUTH completed; ModeCFG skipped as per configuration
       004 "${tunnel-name}" #3: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
       002 "${tunnel-name}" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+XAUTH+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#3 msgid:f2b8a557 proposal=AES_GCM_16-NONE, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_256-HMAC_SHA2_256_128 pfsgroup=no-pfs}
       115 "${tunnel-name}" #4: STATE_QUICK_I1: sent QI1, expecting QR1
       004 "${tunnel-name}" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x781c1272 <0xd41ef07d xfrm=AES_GCM_16_128-NONE NATOA=none NATD=${REMOTE_HOST_IP}:4500 DPD=active username=${VPN_USER}}
  </quote>


  I can see IPSec has added a route:

  <quote>
  # ip route
  ...
       192.168.145.0/24 via ${LOCAL_IP} dev wlp59s0 src 192.168.166.66 
  </quote>

  and has added the 192.168.166.66 'leftsourceip' address to the lo0
  localhost interface.

  But when this tunnel is active, I can no longer reach the
  "$REMOTE_HOST_IP" server address, using SSH or 'ping'ing.

  There is no special route created for ${REMOTE_HOST_IP}, yet
  all attempts to contact it time out if the tunnel is active.

  When the tunnel is active, all attempts to reach hosts on the
  'rightsubnet', or the ${REMOTE_HOST_IP} gateway itself,
  fail with a connection timeout.

  When I bring down the VPN tunnel, I can again SSH to $REMOTE_HOST_IP,
  where I can see from the logs that a VPN tunnel WAS successfully established:

  <quote>
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[9] ${PHONE_IP} #550: responding to Main Mode from unknown peer ${PHONE_IP} on port 16510
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[9] ${PHONE_IP} #550: STATE_MAIN_R1: sent MR1, expecting MI2
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[9] ${PHONE_IP} #550: STATE_MAIN_R2: sent MR2, expecting MI3
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[9] ${PHONE_IP} #550: Peer ID is ID_IPV4_ADDR: '${LOCAL_IP}'
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[9] ${PHONE_IP} #550: switched from "xauth-psk"[9] ${PHONE_IP} to "xauth-psk"
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: deleting connection "xauth-psk"[9] ${PHONE_IP} instance with peer ${PHONE_IP} {isakmp=#0/ipsec=#0}
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: Peer ID is ID_IPV4_ADDR: '${LOCAL_IP}'
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: password file authentication method requested to authenticate user 'vpnuser'
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: password file (/etc/ipsec.d/passwd) open.
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: success user(vpnuser:xauth-psk)
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: User vpnuser: Authentication Successful
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: XAUTH: xauth_inR1(STF_OK)
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: the peer proposed: 192.168.145.0/24:0/0 -> 192.168.166.0/24:0/0
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #551: responding to Quick Mode proposal {msgid:bf827bfb}
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #551:     us: 0.0.0.0/0===${REMOTE_HOST_IP}[MS+XS+S=C]
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #551:   them: ${PHONE_IP}[${LOCAL_IP},+MC+XC+S=C]
      Sep 29 17:54:56 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #551: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x88df34a3 <0x97623cbc xfrm=AES_GCM_16_128-NONE NATOA=none NATD=${PHONE_IP}:16440 DPD=active username=vpnuser}
      Sep 29 17:54:57 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #551: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x88df34a3 <0x97623cbc xfrm=AES_GCM_16_128-NONE NATOA=none NATD=${PHONE_IP}:16440 DPD=active username=vpnuser}
      Sep 29 17:55:08 ${REMOTE_HOST} pluto[3439]: "xauth-psk"[10] ${PHONE_IP} #550: received Delete SA(0x88df34a3) payload: deleting IPsec State #551
  </quote>

  And the tunnel is successfully created on my local host.

  What I am actually trying to do is connect to the VMWare Workstation
  clients hosted on subnet 192.168.145.0/24 on the remote host,
  which are made ONLY accessable to external hosts via the VPN .

  But once the VPN tunnel is active, I can no long contact
  $REMOTE_HOST_IP , nor can I reach any host on subnet 192.168.145.0/24 .

  Please, can anyone suggest a way to fix this config, so I can both
   A) ssh directly to  ${REMOTE_HOST_IP} without going through the
      tunnel when the tunnel is active ;
      
   B) gain access to the VMs 192.168.145.0/24 on ${REMOTE_HOST_IP} when
      the tunnel is active ?

  I urgently need to connect to these VMs via the VPN for work purposes.

  I can't seem to find any way of doing so.

Thanks in advance for any replies / advice -

Best Regards,
Jason

More information about the Swan mailing list