[Swan] Libreswan VTI-Interface Route-Client Error
Ravin Ya
ravin.ya90 at gmail.com
Wed Nov 4 21:43:53 UTC 2020
Hello Everyone,
Please advice. Any help will be highly appreciated. Thank you in advance.
Test Setup: Libreswan VPN Server (IKEv1 xAuth) *vti-routing=yes /
vti-shared=yes *
Libreswan ipsec.conf
conn client1
rightid=STRSWANAT1
rightsubnet=10.17.0.4/30
conn client2
rightid=STRSWANAT2
rightsubnet=10.17.0.40/30
Works just fine when I bring up Client 2 followed by Client 1 the
"route-client" add the route to the vti-interface successfully.
>>The route gets added because there is NO MATCH for "10.17.0.40".
ISSUE: When I bring up client 1 followed by client 2 the "route-client"
fails to add the route to the vti-interface.
>>The route DOES NOT get added because there is False MATCH for "10.17.0.4"
-> (10.17.0.40)
ERROR:
- Nov 3 19:16:49.146176: "strswan2"[1] 10.11.0.5 #4: route-client
output: RTNETLINK answers: File exists
- Nov 3 19:16:49.147383: "strswan2"[1] 10.11.0.5 #4: route-client
output: RTNETLINK answers: No such file or directory
- Nov 3 19:16:49.147743: "strswan2"[1] 10.11.0.5 #4: route-client
output: done ip route
Here is what I think is happening, please correct me: [Skips adding the
route to vti-interface for client 1 "10.17.0.4" because its parses for
routes in routing table (netstat -nr) and FALSE matches existing client 2
entry "10.17.0.40"].
Workaround: Avoid adding remote LAN Subnet: X.X.X.4/30, X.X.X.8/30,
X.X.X.12/30, X.X.X.16/30 (Last octet) which might result in an overlap.
*Logs:: Bring up Client 1 followed by Client 2*
Logs: Client 2: 10.17.0.40
Nov 4 16:33:08.789919: "strswan1"[501] 10.11.0.41 #1562: responding to
Main Mode from unknown peer 10.11.0.41 on port 500
Nov 4 16:33:08.790098: "strswan1"[501] 10.11.0.41 #1562: STATE_MAIN_R1:
sent MR1, expecting MI2
Nov 4 16:33:08.794201: "strswan1"[501] 10.11.0.41 #1562: STATE_MAIN_R2:
sent MR2, expecting MI3
Nov 4 16:33:08.797396: "strswan1"[501] 10.11.0.41 #1562: ignoring
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov 4 16:33:08.797423: | ISAKMP Notification Payload
Nov 4 16:33:08.797428: | 00 00 00 1c 00 00 00 01 01 10 60 02
Nov 4 16:33:08.797435: "strswan1"[501] 10.11.0.41 #1562: Peer ID is
ID_USER_FQDN: 'STRSWANAT11 at SIT.GTN.HNSNET.NET'
Nov 4 16:33:08.797498: "strswan1"[501] 10.11.0.41 #1562: switched from
"strswan1"[501] 10.11.0.41 to "strswan11"
Nov 4 16:33:08.797677: "strswan11"[2] 10.11.0.41 #1562: deleting
connection "strswan1"[501] 10.11.0.41 instance with peer 10.11.0.41
{isakmp=#0/ipsec=#0}
Nov 4 16:33:08.797692: "strswan11"[2] 10.11.0.41 #1562: Peer ID is
ID_USER_FQDN: 'STRSWANAT11 at SIT.GTN.HNSNET.NET'
Nov 4 16:33:08.798082: "strswan11"[2] 10.11.0.41 #1562: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
integ=md5 group=MODP1024}
Nov 4 16:33:08.878240: "strswan11"[2] 10.11.0.41 #1562: XAUTH: Sending
Username/Password request (MAIN_R3->XAUTH_R0)
Nov 4 16:33:08.879303: "strswan11"[2] 10.11.0.41 #1562: XAUTH: PAM
authentication method requested to authenticate user '
STRSWANAT11 at SIT.GTN.HNSNET.NET'
Nov 4 16:33:09.180451: "strswan11"[2] 10.11.0.41 #1562: PAM: #1562:
completed for user 'STRSWANAT11 at SIT.GTN.HNSNET.NET' with status SUCCESSS
Nov 4 16:33:09.180495: "strswan11"[2] 10.11.0.41 #1562: XAUTH: User
STRSWANAT11 at SIT.GTN.HNSNET.NET: Authentication Successful
Nov 4 16:33:09.181435: "strswan11"[2] 10.11.0.41 #1562: XAUTH:
xauth_inR1(STF_OK)
Nov 4 16:33:09.181472: "strswan11"[2] 10.11.0.41 #1562: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
integ=md5 group=MODP1024}
Nov 4 16:33:09.182314: "strswan11"[2] 10.11.0.41 #1562: the peer proposed:
0.0.0.0/0:0/0 -> 10.17.0.40/30:0/0
Nov 4 16:33:09.188021: "strswan11"[2] 10.11.0.41 #1563: responding to
Quick Mode proposal {msgid:395b084f}
Nov 4 16:33:09.188049: "strswan11"[2] 10.11.0.41 #1563: us:
0.0.0.0/0===10.11.251.251<10.11.251.251>[@libreswan,+XS+S=C]
*Nov 4 16:33:09.188056: "strswan11"[2] 10.11.0.41 #1563: them:
10.11.0.41[STRSWANAT11 at SIT.GTN.HNSNET.NET
<STRSWANAT11 at SIT.GTN.HNSNET.NET>,+XC+S=C]===10.17.0.40/30
<http://10.17.0.40/30>*
Nov 4 16:33:09.188904: "strswan11"[2] 10.11.0.41 #1563: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode
{ESP=>0xc6b6d5c6 <0xe6a571a8 xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none
NATD=none DPD=active username=STRSWANAT11 at SIT.GTN.HNSNET.NET}
Nov 4 16:33:09.190974: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
username changed from '' to ''
Nov 4 16:33:09.206462: "strswan11"[2] 10.11.0.41 #1563: up-client output:
vti interface "vti01" already exists with conflicting setting
Nov 4 16:33:09.206495: "strswan11"[2] 10.11.0.41 #1563: up-client output:
existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
Nov 4 16:33:09.206500: "strswan11"[2] 10.11.0.41 #1563: up-client output:
wanted : vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
Nov 4 16:33:09.206829: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
username changed from '' to ''
Nov 4 16:33:09.221757: "strswan11"[2] 10.11.0.41 #1563: prepare-client
output: vti interface "vti01" already exists with conflicting setting
Nov 4 16:33:09.221812: "strswan11"[2] 10.11.0.41 #1563: prepare-client
output: existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit
key 5
Nov 4 16:33:09.221818: "strswan11"[2] 10.11.0.41 #1563: prepare-client
output: wanted : vti01: ip/ip remote any local 10.11.251.251 ttl
inherit key 5
Nov 4 16:33:09.221981: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
username changed from '' to ''
*Nov 4 16:33:09.238353: "strswan11"[2] 10.11.0.41 #1563: route-client
output: done ip route*
Nov 4 16:33:09.241635: "strswan11"[2] 10.11.0.41 #1563: STATE_QUICK_R2:
IPsec SA established tunnel mode {ESP=>0xc6b6d5c6 <0xe6a571a8
xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none NATD=none DPD=active username=
STRSWANAT11 at SIT.GTN.HNSNET.NET}
Logs: Client 1: 10.17.0.4
Nov 4 16:36:56.234237: "strswan1"[502] 10.11.0.5 #1564: responding to Main
Mode from unknown peer 10.11.0.5 on port 500
Nov 4 16:36:56.234372: "strswan1"[502] 10.11.0.5 #1564: STATE_MAIN_R1:
sent MR1, expecting MI2
Nov 4 16:36:56.238458: "strswan1"[502] 10.11.0.5 #1564: STATE_MAIN_R2:
sent MR2, expecting MI3
Nov 4 16:36:56.239427: "strswan1"[502] 10.11.0.5 #1564: ignoring
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov 4 16:36:56.239452: | ISAKMP Notification Payload
Nov 4 16:36:56.239456: | 00 00 00 1c 00 00 00 01 01 10 60 02
Nov 4 16:36:56.239462: "strswan1"[502] 10.11.0.5 #1564: Peer ID is
ID_USER_FQDN: 'STRSWANAT2 at SIT.GTN.HNSNET.NET'
Nov 4 16:36:56.239749: "strswan1"[502] 10.11.0.5 #1564: switched from
"strswan1"[502] 10.11.0.5 to "strswan2"
Nov 4 16:36:56.239926: "strswan2"[2] 10.11.0.5 #1564: deleting connection
"strswan1"[502] 10.11.0.5 instance with peer 10.11.0.5 {isakmp=#0/ipsec=#0}
Nov 4 16:36:56.239941: "strswan2"[2] 10.11.0.5 #1564: Peer ID is
ID_USER_FQDN: 'STRSWANAT2 at SIT.GTN.HNSNET.NET'
Nov 4 16:36:56.240165: "strswan2"[2] 10.11.0.5 #1564: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=md5
group=MODP1024}
Nov 4 16:36:56.320319: "strswan2"[2] 10.11.0.5 #1564: XAUTH: Sending
Username/Password request (MAIN_R3->XAUTH_R0)
Nov 4 16:36:56.321373: "strswan2"[2] 10.11.0.5 #1564: XAUTH: PAM
authentication method requested to authenticate user '
STRSWANAT2 at SIT.GTN.HNSNET.NET'
Nov 4 16:36:56.448459: "strswan2"[2] 10.11.0.5 #1564: PAM: #1564:
completed for user 'STRSWANAT2 at SIT.GTN.HNSNET.NET' with status SUCCESSS
Nov 4 16:36:56.448495: "strswan2"[2] 10.11.0.5 #1564: XAUTH: User
STRSWANAT2 at SIT.GTN.HNSNET.NET: Authentication Successful
Nov 4 16:36:56.449205: "strswan2"[2] 10.11.0.5 #1564: XAUTH:
xauth_inR1(STF_OK)
Nov 4 16:36:56.449241: "strswan2"[2] 10.11.0.5 #1564: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=md5
group=MODP1024}
Nov 4 16:36:56.449912: "strswan2"[2] 10.11.0.5 #1564: the peer proposed:
0.0.0.0/0:0/0 -> 10.17.0.4/30:0/0
Nov 4 16:36:56.450768: "strswan2"[2] 10.11.0.5 #1565: responding to Quick
Mode proposal {msgid:c2a3f054}
Nov 4 16:36:56.450791: "strswan2"[2] 10.11.0.5 #1565: us:
0.0.0.0/0===10.11.251.251<10.11.251.251>[@libreswan,+XS+S=C]
*Nov 4 16:36:56.450797: "strswan2"[2] 10.11.0.5 #1565: them:
10.11.0.5[STRSWANAT2 at SIT.GTN.HNSNET.NET
<STRSWANAT2 at SIT.GTN.HNSNET.NET>,+XC+S=C]===10.17.0.4/30
<http://10.17.0.4/30>*
Nov 4 16:36:56.451645: "strswan2"[2] 10.11.0.5 #1565: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xc28e4a89
<0x38534a6b xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none NATD=none DPD=active
username=STRSWANAT2 at SIT.GTN.HNSNET.NET}
Nov 4 16:36:56.453841: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
username changed from '' to ''
Nov 4 16:36:56.469286: "strswan2"[2] 10.11.0.5 #1565: up-client output:
vti interface "vti01" already exists with conflicting setting
Nov 4 16:36:56.469331: "strswan2"[2] 10.11.0.5 #1565: up-client output:
existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
Nov 4 16:36:56.469336: "strswan2"[2] 10.11.0.5 #1565: up-client output:
wanted : vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
Nov 4 16:36:56.469556: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
username changed from '' to ''
Nov 4 16:36:56.484606: "strswan2"[2] 10.11.0.5 #1565: prepare-client
output: vti interface "vti01" already exists with conflicting setting
Nov 4 16:36:56.484637: "strswan2"[2] 10.11.0.5 #1565: prepare-client
output: existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit
key 5
Nov 4 16:36:56.484643: "strswan2"[2] 10.11.0.5 #1565: prepare-client
output: wanted : vti01: ip/ip remote any local 10.11.251.251 ttl
inherit key 5
Nov 4 16:36:56.484903: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
username changed from '' to ''
*Nov 4 16:36:56.505726: "strswan2"[2] 10.11.0.5 #1565: route-client
output: RTNETLINK answers: File exists*
*Nov 4 16:36:56.507190: "strswan2"[2] 10.11.0.5 #1565: route-client
output: RTNETLINK answers: No such file or directory*
*Nov 4 16:36:56.507399: "strswan2"[2] 10.11.0.5 #1565: route-client
output: done ip route*
Nov 4 16:36:56.518969: "strswan2"[2] 10.11.0.5 #1565: STATE_QUICK_R2:
IPsec SA established tunnel mode {ESP=>0xc28e4a89 <0x38534a6b
xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none NATD=none DPD=active username=
STRSWANAT2 at SIT.GTN.HNSNET.NET}
Thank you,
RavYa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201104/abc55421/attachment-0001.html>
More information about the Swan
mailing list