[Swan] Libreswan VTI-Interface Route-Client Error

Ravin Ya ravin.ya90 at gmail.com
Thu Nov 5 16:55:45 UTC 2020 

Hi Everyone,

Please ignore the previous email. The issue is found in the _updown.netkey
bash script.

The "string-match" regex seems to be incorrect.
>> *ip route list | grep -q "${PLUTO_PEER_CLIENT%/*}"*

Instead of doing a complete string match it's doing only the IP match and
getting a false match (X.X.X.4/30 and X.X.X.40/30).
>> Therefore ends up doing "ip route change" instead of "ip route add" on
the vti interface.

Thank You,
Ravin Ya


On Wed, Nov 4, 2020 at 4:43 PM Ravin Ya <ravin.ya90 at gmail.com> wrote:

> Hello Everyone,
>
> Please advice. Any help will be highly appreciated. Thank you in advance.
>
> Test Setup: Libreswan VPN Server (IKEv1 xAuth)  *vti-routing=yes /
> vti-shared=yes *
>
> Libreswan ipsec.conf
> conn client1
>         rightid=STRSWANAT1
>         rightsubnet=10.17.0.4/30
>
> conn client2
>         rightid=STRSWANAT2
>         rightsubnet=10.17.0.40/30
>
>
> Works just fine when I bring up Client 2 followed by Client 1 the
> "route-client" add the route to the vti-interface successfully.
> >>The route gets added because there is NO MATCH for "10.17.0.40".
>
> ISSUE: When I bring up client 1 followed by client 2 the "route-client"
> fails to add the route to the vti-interface.
> >>The route DOES NOT get added because there is False MATCH for
> "10.17.0.4" -> (10.17.0.40)
>
> ERROR:
>
>    - Nov  3 19:16:49.146176: "strswan2"[1] 10.11.0.5 #4: route-client
>    output: RTNETLINK answers: File exists
>    - Nov  3 19:16:49.147383: "strswan2"[1] 10.11.0.5 #4: route-client
>    output: RTNETLINK answers: No such file or directory
>    - Nov  3 19:16:49.147743: "strswan2"[1] 10.11.0.5 #4: route-client
>    output: done ip route
>
>
> Here is what I think is happening, please correct me: [Skips adding the
> route to vti-interface for client 1 "10.17.0.4" because its parses for
> routes in routing table (netstat -nr) and FALSE matches existing client 2
> entry "10.17.0.40"].
>
> Workaround: Avoid adding remote LAN Subnet: X.X.X.4/30, X.X.X.8/30,
> X.X.X.12/30, X.X.X.16/30 (Last octet) which might result in an overlap.
>
>
> *Logs:: Bring up Client 1 followed by Client 2*
>
> Logs: Client 2: 10.17.0.40
> Nov  4 16:33:08.789919: "strswan1"[501] 10.11.0.41 #1562: responding to
> Main Mode from unknown peer 10.11.0.41 on port 500
> Nov  4 16:33:08.790098: "strswan1"[501] 10.11.0.41 #1562: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Nov  4 16:33:08.794201: "strswan1"[501] 10.11.0.41 #1562: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Nov  4 16:33:08.797396: "strswan1"[501] 10.11.0.41 #1562: ignoring
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Nov  4 16:33:08.797423: | ISAKMP Notification Payload
> Nov  4 16:33:08.797428: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Nov  4 16:33:08.797435: "strswan1"[501] 10.11.0.41 #1562: Peer ID is
> ID_USER_FQDN: 'STRSWANAT11 at SIT.GTN.HNSNET.NET'
> Nov  4 16:33:08.797498: "strswan1"[501] 10.11.0.41 #1562: switched from
> "strswan1"[501] 10.11.0.41 to "strswan11"
> Nov  4 16:33:08.797677: "strswan11"[2] 10.11.0.41 #1562: deleting
> connection "strswan1"[501] 10.11.0.41 instance with peer 10.11.0.41
> {isakmp=#0/ipsec=#0}
> Nov  4 16:33:08.797692: "strswan11"[2] 10.11.0.41 #1562: Peer ID is
> ID_USER_FQDN: 'STRSWANAT11 at SIT.GTN.HNSNET.NET'
> Nov  4 16:33:08.798082: "strswan11"[2] 10.11.0.41 #1562: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
> integ=md5 group=MODP1024}
> Nov  4 16:33:08.878240: "strswan11"[2] 10.11.0.41 #1562: XAUTH: Sending
> Username/Password request (MAIN_R3->XAUTH_R0)
> Nov  4 16:33:08.879303: "strswan11"[2] 10.11.0.41 #1562: XAUTH: PAM
> authentication method requested to authenticate user '
> STRSWANAT11 at SIT.GTN.HNSNET.NET'
> Nov  4 16:33:09.180451: "strswan11"[2] 10.11.0.41 #1562: PAM: #1562:
> completed for user 'STRSWANAT11 at SIT.GTN.HNSNET.NET' with status SUCCESSS
> Nov  4 16:33:09.180495: "strswan11"[2] 10.11.0.41 #1562: XAUTH: User
> STRSWANAT11 at SIT.GTN.HNSNET.NET: Authentication Successful
> Nov  4 16:33:09.181435: "strswan11"[2] 10.11.0.41 #1562: XAUTH:
> xauth_inR1(STF_OK)
> Nov  4 16:33:09.181472: "strswan11"[2] 10.11.0.41 #1562: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256
> integ=md5 group=MODP1024}
> Nov  4 16:33:09.182314: "strswan11"[2] 10.11.0.41 #1562: the peer
> proposed: 0.0.0.0/0:0/0 -> 10.17.0.40/30:0/0
> Nov  4 16:33:09.188021: "strswan11"[2] 10.11.0.41 #1563: responding to
> Quick Mode proposal {msgid:395b084f}
> Nov  4 16:33:09.188049: "strswan11"[2] 10.11.0.41 #1563:     us:
> 0.0.0.0/0===10.11.251.251<10.11.251.251>[@libreswan,+XS+S=C]
> *Nov  4 16:33:09.188056: "strswan11"[2] 10.11.0.41 #1563:   them:
> 10.11.0.41[STRSWANAT11 at SIT.GTN.HNSNET.NET
> <STRSWANAT11 at SIT.GTN.HNSNET.NET>,+XC+S=C]===10.17.0.40/30
> <http://10.17.0.40/30>*
> Nov  4 16:33:09.188904: "strswan11"[2] 10.11.0.41 #1563: STATE_QUICK_R1:
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode
> {ESP=>0xc6b6d5c6 <0xe6a571a8 xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none
> NATD=none DPD=active username=STRSWANAT11 at SIT.GTN.HNSNET.NET}
> Nov  4 16:33:09.190974: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
> username changed from '' to ''
> Nov  4 16:33:09.206462: "strswan11"[2] 10.11.0.41 #1563: up-client output:
> vti interface "vti01" already exists with conflicting setting
> Nov  4 16:33:09.206495: "strswan11"[2] 10.11.0.41 #1563: up-client output:
> existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
> Nov  4 16:33:09.206500: "strswan11"[2] 10.11.0.41 #1563: up-client output:
> wanted  : vti01: ip/ip  remote any  local 10.11.251.251  ttl inherit  key 5
> Nov  4 16:33:09.206829: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
> username changed from '' to ''
> Nov  4 16:33:09.221757: "strswan11"[2] 10.11.0.41 #1563: prepare-client
> output: vti interface "vti01" already exists with conflicting setting
> Nov  4 16:33:09.221812: "strswan11"[2] 10.11.0.41 #1563: prepare-client
> output: existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit
> key 5
> Nov  4 16:33:09.221818: "strswan11"[2] 10.11.0.41 #1563: prepare-client
> output: wanted  : vti01: ip/ip  remote any  local 10.11.251.251  ttl
> inherit  key 5
> Nov  4 16:33:09.221981: "strswan11"[2] 10.11.0.41 #1563: Warning: XAUTH
> username changed from '' to ''
> *Nov  4 16:33:09.238353: "strswan11"[2] 10.11.0.41 #1563: route-client
> output: done ip route*
> Nov  4 16:33:09.241635: "strswan11"[2] 10.11.0.41 #1563: STATE_QUICK_R2:
> IPsec SA established tunnel mode {ESP=>0xc6b6d5c6 <0xe6a571a8
> xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none NATD=none DPD=active username=
> STRSWANAT11 at SIT.GTN.HNSNET.NET}
>
>
> Logs: Client 1: 10.17.0.4
> Nov  4 16:36:56.234237: "strswan1"[502] 10.11.0.5 #1564: responding to
> Main Mode from unknown peer 10.11.0.5 on port 500
> Nov  4 16:36:56.234372: "strswan1"[502] 10.11.0.5 #1564: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Nov  4 16:36:56.238458: "strswan1"[502] 10.11.0.5 #1564: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Nov  4 16:36:56.239427: "strswan1"[502] 10.11.0.5 #1564: ignoring
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Nov  4 16:36:56.239452: | ISAKMP Notification Payload
> Nov  4 16:36:56.239456: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Nov  4 16:36:56.239462: "strswan1"[502] 10.11.0.5 #1564: Peer ID is
> ID_USER_FQDN: 'STRSWANAT2 at SIT.GTN.HNSNET.NET'
> Nov  4 16:36:56.239749: "strswan1"[502] 10.11.0.5 #1564: switched from
> "strswan1"[502] 10.11.0.5 to "strswan2"
> Nov  4 16:36:56.239926: "strswan2"[2] 10.11.0.5 #1564: deleting connection
> "strswan1"[502] 10.11.0.5 instance with peer 10.11.0.5 {isakmp=#0/ipsec=#0}
> Nov  4 16:36:56.239941: "strswan2"[2] 10.11.0.5 #1564: Peer ID is
> ID_USER_FQDN: 'STRSWANAT2 at SIT.GTN.HNSNET.NET'
> Nov  4 16:36:56.240165: "strswan2"[2] 10.11.0.5 #1564: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=md5
> group=MODP1024}
> Nov  4 16:36:56.320319: "strswan2"[2] 10.11.0.5 #1564: XAUTH: Sending
> Username/Password request (MAIN_R3->XAUTH_R0)
> Nov  4 16:36:56.321373: "strswan2"[2] 10.11.0.5 #1564: XAUTH: PAM
> authentication method requested to authenticate user '
> STRSWANAT2 at SIT.GTN.HNSNET.NET'
> Nov  4 16:36:56.448459: "strswan2"[2] 10.11.0.5 #1564: PAM: #1564:
> completed for user 'STRSWANAT2 at SIT.GTN.HNSNET.NET' with status SUCCESSS
> Nov  4 16:36:56.448495: "strswan2"[2] 10.11.0.5 #1564: XAUTH: User
> STRSWANAT2 at SIT.GTN.HNSNET.NET: Authentication Successful
> Nov  4 16:36:56.449205: "strswan2"[2] 10.11.0.5 #1564: XAUTH:
> xauth_inR1(STF_OK)
> Nov  4 16:36:56.449241: "strswan2"[2] 10.11.0.5 #1564: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=md5
> group=MODP1024}
> Nov  4 16:36:56.449912: "strswan2"[2] 10.11.0.5 #1564: the peer proposed:
> 0.0.0.0/0:0/0 -> 10.17.0.4/30:0/0
> Nov  4 16:36:56.450768: "strswan2"[2] 10.11.0.5 #1565: responding to Quick
> Mode proposal {msgid:c2a3f054}
> Nov  4 16:36:56.450791: "strswan2"[2] 10.11.0.5 #1565:     us:
> 0.0.0.0/0===10.11.251.251<10.11.251.251>[@libreswan,+XS+S=C]
> *Nov  4 16:36:56.450797: "strswan2"[2] 10.11.0.5 #1565:   them:
> 10.11.0.5[STRSWANAT2 at SIT.GTN.HNSNET.NET
> <STRSWANAT2 at SIT.GTN.HNSNET.NET>,+XC+S=C]===10.17.0.4/30
> <http://10.17.0.4/30>*
> Nov  4 16:36:56.451645: "strswan2"[2] 10.11.0.5 #1565: STATE_QUICK_R1:
> sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode
> {ESP=>0xc28e4a89 <0x38534a6b xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none
> NATD=none DPD=active username=STRSWANAT2 at SIT.GTN.HNSNET.NET}
> Nov  4 16:36:56.453841: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
> username changed from '' to ''
> Nov  4 16:36:56.469286: "strswan2"[2] 10.11.0.5 #1565: up-client output:
> vti interface "vti01" already exists with conflicting setting
> Nov  4 16:36:56.469331: "strswan2"[2] 10.11.0.5 #1565: up-client output:
> existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit key 5
> Nov  4 16:36:56.469336: "strswan2"[2] 10.11.0.5 #1565: up-client output:
> wanted  : vti01: ip/ip  remote any  local 10.11.251.251  ttl inherit  key 5
> Nov  4 16:36:56.469556: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
> username changed from '' to ''
> Nov  4 16:36:56.484606: "strswan2"[2] 10.11.0.5 #1565: prepare-client
> output: vti interface "vti01" already exists with conflicting setting
> Nov  4 16:36:56.484637: "strswan2"[2] 10.11.0.5 #1565: prepare-client
> output: existing: vti01: ip/ip remote any local 10.11.251.251 ttl inherit
> key 5
> Nov  4 16:36:56.484643: "strswan2"[2] 10.11.0.5 #1565: prepare-client
> output: wanted  : vti01: ip/ip  remote any  local 10.11.251.251  ttl
> inherit  key 5
> Nov  4 16:36:56.484903: "strswan2"[2] 10.11.0.5 #1565: Warning: XAUTH
> username changed from '' to ''
> *Nov  4 16:36:56.505726: "strswan2"[2] 10.11.0.5 #1565: route-client
> output: RTNETLINK answers: File exists*
> *Nov  4 16:36:56.507190: "strswan2"[2] 10.11.0.5 #1565: route-client
> output: RTNETLINK answers: No such file or directory*
> *Nov  4 16:36:56.507399: "strswan2"[2] 10.11.0.5 #1565: route-client
> output: done ip route*
> Nov  4 16:36:56.518969: "strswan2"[2] 10.11.0.5 #1565: STATE_QUICK_R2:
> IPsec SA established tunnel mode {ESP=>0xc28e4a89 <0x38534a6b
> xfrm=AES_CBC_256-HMAC_MD5_96 NATOA=none NATD=none DPD=active username=
> STRSWANAT2 at SIT.GTN.HNSNET.NET}
>
> Thank you,
> Ravin Ya
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201105/1bd2c179/attachment-0001.html>

More information about the Swan mailing list