[Swan] Roadwarrior and NAT
Phil Nightowl
phil.nightowl at gmail.com
Wed Oct 13 16:15:57 UTC 2021
> > A brief summary:
> >
> > server --------------- NAT1 -------- internet --- NAT2 ------ roadwarrior
> > 172.16.0.129 172.16.0.254/1.2.3.4 10.0.0.x 10.0.0.y
> >
> >
> It means your subnets/IPs are not matching. The easiest IKEv2 solution
> is for the server to give the roadwarrior an IP to use.
Adjusted configuration accordingly. The configs are now:
> > Server (responder):
> > -------------------
conn roadw
type=tunnel
left=%defaultroute
leftid=@server
leftsubnet=0.0.0.0/0
right=%any
rightid=@roadw
rightsubnet=vhost:%priv,%no
rightaddresspool=100.64.0.1-100.64.0.10
narrowing=yes
auto=add
ikev2=insist
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
rekey=no
> > Roadwarrior (initiator):
> > ------------------------
conn server
left=%defaultroute
leftid=@roadw
right=1.2.3.4
rightid=@server
ikev2=insist
auto=ondemand
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
narrowing=yes
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
However, the resulting behaviour is absolutely puzzling me. There is not a
single ipsec packet on the wire. On the roadwarrior (initiator), I can read:
pluto[13792]: | kernel_process_msg_cb process netlink message
pluto[13792]: | netlink_get: XFRM_MSG_ACQUIRE message
pluto[13792]: | xfrm netlink msg len 376
pluto[13792]: | xfrm acquire rtattribute type 5
pluto[13792]: | xfrm acquire rtattribute type 16
pluto[13792]: | add bare shunt 0x563e26c06018 10.0.0.13/32:40693 --17--> 1.2.3.4/32:1025 => %hold 0 %acquire-netlink
pluto[13792]: initiate on demand from 10.0.0.13:40693 to 1.2.3.4:1025 proto=17 because: acquire
pluto[13792]: | find_connection: looking for policy for connection: 10.0.0.13:17/40693 -> 1.2.3.4:17/1025
pluto[13792]: | find_connection: conn "server" has compatible peers: 0.0.0.0/0 -> 0.0.0.0/0 [pri: 8]
pluto[13792]: | find_connection: first OK "server" [pri:8]{0x563e26c04ee8} (child none)
pluto[13792]: | find_connection: concluding with "server" [pri:8]{0x563e26c04ee8} kind=CK_TEMPLATE
pluto[13792]: cannot initiate connection for packet 10.0.0.13:40693 -> 1.2.3.4:1025 proto=17 - template conn
pluto[13792]: | initiate on demand using RSASIG from 10.0.0.13 to 1.2.3.4
pluto[13792]: | timer_event_cb: processing event at 0x563e26bef708
pluto[13792]: | handling event EVENT_SHUNT_SCAN
pluto[13792]: | expiring aged bare shunts from shunt table
pluto[13792]: | keeping recent bare shunt 0x563e26c06018 10.0.0.13/32:40693 --17--> 1.2.3.4/32:1025 => %hold 0 %acquire-netlink
pluto[13792]: | event_schedule: new EVENT_SHUNT_SCAN-pe at 0x563e26c09298
pluto[13792]: | inserting event EVENT_SHUNT_SCAN, timeout in 20.000 seconds
pluto[13792]: | free_event_entry: release EVENT_SHUNT_SCAN-pe at 0x563e26bef708
pluto[13792]: | timer_event_cb: processing event at 0x563e26c09298
pluto[13792]: | handling event EVENT_SHUNT_SCAN
pluto[13792]: | expiring aged bare shunts from shunt table
pluto[13792]: | keeping recent bare shunt 0x563e26c06018 10.0.0.13/32:40693 --17--> 1.2.3.4/32:1025 => %hold 0 %acquire-netlink
pluto[13792]: | event_schedule: new EVENT_SHUNT_SCAN-pe at 0x563e26c09988
pluto[13792]: | inserting event EVENT_SHUNT_SCAN, timeout in 20.000 seconds
pluto[13792]: | free_event_entry: release EVENT_SHUNT_SCAN-pe at 0x563e26c09298
pluto[13792]: | kernel_process_msg_cb process netlink message
pluto[13792]: | netlink_get: XFRM_MSG_ACQUIRE message
pluto[13792]: | xfrm netlink msg len 376
pluto[13792]: | xfrm acquire rtattribute type 5
pluto[13792]: | xfrm acquire rtattribute type 16
pluto[13792]: | add bare shunt 0x563e26c05e18 10.0.0.13/32:57994 --6--> 104.21.22.28/32:443 => %hold 0 %acquire-netlink
pluto[13792]: initiate on demand from 10.0.0.13:57994 to 104.21.22.28:443 proto=6 because: acquire
pluto[13792]: | find_connection: looking for policy for connection: 10.0.0.13:6/57994 -> 104.21.22.28:6/443
pluto[13792]: | find_connection: conn "server" has compatible peers: 0.0.0.0/0 -> 0.0.0.0/0 [pri: 8]
pluto[13792]: | find_connection: first OK "server" [pri:8]{0x563e26c04ee8} (child none)
pluto[13792]: | find_connection: concluding with "server" [pri:8]{0x563e26c04ee8} kind=CK_TEMPLATE
pluto[13792]: cannot initiate connection for packet 10.0.0.13:57994 -> 104.21.22.28:443 proto=6 - template conn
pluto[13792]: | initiate on demand using RSASIG from 10.0.0.13 to 104.21.22.28
pluto[13792]: | kernel_process_msg_cb process netlink message
pluto[13792]: | netlink_get: XFRM_MSG_ACQUIRE message
pluto[13792]: | xfrm netlink msg len 376
pluto[13792]: | xfrm acquire rtattribute type 5
pluto[13792]: | xfrm acquire rtattribute type 16
pluto[13792]: | add bare shunt 0x563e26bfefc8 10.0.0.13/32:41366 --6--> 185.199.108.133/32:443 => %hold 0 %acquire-netlink
pluto[13792]: initiate on demand from 10.0.0.13:41366 to 185.199.108.133:443 proto=6 because: acquire
pluto[13792]: | find_connection: looking for policy for connection: 10.0.0.13:6/41366 -> 185.199.108.133:6/443
pluto[13792]: | find_connection: conn "server" has compatible peers: 0.0.0.0/0 -> 0.0.0.0/0 [pri: 8]
pluto[13792]: | find_connection: first OK "server" [pri:8]{0x563e26c04ee8} (child none)
pluto[13792]: | find_connection: concluding with "server" [pri:8]{0x563e26c04ee8} kind=CK_TEMPLATE
pluto[13792]: cannot initiate connection for packet 10.0.0.13:41366 -> 185.199.108.133:443 proto=6 - template conn
pluto[13792]: | initiate on demand using RSASIG from 10.0.0.13 to 185.199.108.133
pluto[13792]: | timer_event_cb: processing event at 0x563e26bef498
pluto[13792]: | handling event EVENT_PENDING_DDNS
pluto[13792]: | event_schedule: new EVENT_PENDING_DDNS-pe at 0x563e26c099f8
pluto[13792]: | inserting event EVENT_PENDING_DDNS, timeout in 60.000 seconds
pluto[13792]: | elapsed time in connection_check_ddns for hostname lookup 0
pluto[13792]: | free_event_entry: release EVENT_PENDING_DDNS-pe at 0x563e26bef498
pluto[13792]: | timer_event_cb: processing event at 0x563e26c09988
pluto[13792]: | handling event EVENT_SHUNT_SCAN
pluto[13792]: | expiring aged bare shunts from shunt table
pluto[13792]: | keeping recent bare shunt 0x563e26bfefc8 10.0.0.13/32:41366 --6--> 185.199.108.133/32:443 => %hold 0 %acquire-netlink
pluto[13792]: | keeping recent bare shunt 0x563e26c05e18 10.0.0.13/32:57994 --6--> 104.21.22.28/32:443 => %hold 0 %acquire-netlink
pluto[13792]: | keeping recent bare shunt 0x563e26c06018 10.0.0.13/32:40693 --17--> 1.2.3.4/32:1025 => %hold 0 %acquire-netlink
pluto[13792]: | event_schedule: new EVENT_SHUNT_SCAN-pe at 0x563e26c09a68
pluto[13792]: | inserting event EVENT_SHUNT_SCAN, timeout in 20.000 seconds
pluto[13792]: | free_event_entry: release EVENT_SHUNT_SCAN-pe at 0x563e26c09988
This leaves me with a lot of mysteries, e. g.:
- why is pluto trying rsasig when the config mandates psk?
- why is pluto connecting to 104.21.22.28 (dns.cloudflare.com) and
185.199.108.133 (cdn-185-199-108-133.github.com) - and why through https?
- and what can I do to debug this and get it to work?
Many thanks!
Phil
More information about the Swan
mailing list