[Swan] NoNAT connection not working from Windows 10 but works from wireless connected hosts

[Mirsad Goran Todorovac]

Dear Mr. Wouters,

I have a problem with the setting you have given me, the 
rightsubnet=vhost:%no .

Description of the problem: the Windows 10 laptop connects over wireless 
provider and my mobile phone
hotspot, but it can't connect when I connect with the ethernet cable 
from the same device.

We have previously established that the client was unhappy with the 
connection and sent a DELETE payload.
But it happens on the same host, and only on noNAT traversal link.

I have adjusted the setting in Windows registry to allow for mod2048p 
negotiation:

This is from the session log:

Nov 26 15:17:38.293053: |  processing version=1.0 packet with exchange 
type=ISAKMP_XCHG_INFO (5)
Nov 26 15:17:38.293065: | peer and cookies match on #2; msgid=00000000 
st_msgid=00000000 st_v1_msgid.phase15=00000000
Nov 26 15:17:38.293083: | p15 state object #2 found, in STATE_MAIN_R3
Nov 26 15:17:38.293091: | State DB: found IKEv1 state #2 in MAIN_R3 
(find_v1_info_state)
Nov 26 15:17:38.293127: | #2 is idle
Nov 26 15:17:38.293139: | #2 idle
Nov 26 15:17:38.293149: | received encrypted packet from 193.198.186.218:500
Nov 26 15:17:38.293181: | got payload 0x100  (ISAKMP_NEXT_HASH) needed: 
0x100 opt: 0x0
Nov 26 15:17:38.293193: | ***parse ISAKMP Hash Payload:
Nov 26 15:17:38.293203: |    next payload type: ISAKMP_NEXT_D (0xc)
Nov 26 15:17:38.293214: |    length: 24 (00 18)
Nov 26 15:17:38.293224: | got payload 0x1000  (ISAKMP_NEXT_D) needed: 
0x0 opt: 0x0
Nov 26 15:17:38.293233: | ***parse ISAKMP Delete Payload:
Nov 26 15:17:38.293242: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Nov 26 15:17:38.293254: |    length: 28 (00 1c)
Nov 26 15:17:38.293282: |    DOI: ISAKMP_DOI_IPSEC (0x1)
Nov 26 15:17:38.293294: |    protocol ID: 1 (01)
Nov 26 15:17:38.293304: |    SPI size: 16 (10)
Nov 26 15:17:38.293313: |    number of SPIs: 1 (00 01)
Nov 26 15:17:38.293323: | removing 12 bytes of padding
Nov 26 15:17:38.293358: |     result: newref clone-key at 0x5628841aa950 
(20-bytes, SHA_1_HMAC)(init_symkey() +99 
lib/libswan/ike_alg_prf_mac_nss_ops.c)
Nov 26 15:17:38.293378: | HASH(1): delref clone-key at 0x5628841aa950
Nov 26 15:17:38.293400: | informational HASH(1):
Nov 26 15:17:38.293411: |   a3 ae c0 71  e0 09 c1 98  9e ee 6a 45 17 99 
2b e1   ...q......jE..+.
Nov 26 15:17:38.293419: |   0e 90 98 
b0                                          ....
Nov 26 15:17:38.293428: | received 'informational' message HASH(1) data ok
Nov 26 15:17:38.293436: | parsing 8 raw bytes of ISAKMP Delete Payload 
into iCookie
Nov 26 15:17:38.293445: | iCookie
Nov 26 15:17:38.293452: |   80 e6 13 3b  a1 06 0e 
bd                             ...;....
Nov 26 15:17:38.293461: | parsing 8 raw bytes of ISAKMP Delete Payload 
into rCookie
Nov 26 15:17:38.293468: | rCookie
Nov 26 15:17:38.293476: |   dc c9 09 4a  81 e0 35 
55                             ...J..5U
Nov 26 15:17:38.293486: | State DB: found IKEv1 state #2 in MAIN_R3 
(find_state_ikev1)
Nov 26 15:17:38.293496: | del:
Nov 26 15:17:38.293504: |
Nov 26 15:17:38.293517: "L2TP-PSK-NAT"[1] 193.198.186.218 #2: received 
Delete SA payload: self-deleting ISAKMP State #2

My client (right) host is 193.198.186.218 on the subnet 
193.198.186.192/27, assigned via DHCP without NAT.

My /etc/ipsec.d/l2tp-psk.conf looks like this:

conn L2TP-PSK-NAT
         rightsubnet=vhost:%priv
         also=L2TP-PSK-common

conn L2TP-PSK-noNAT
         rightsubnet=vhost:%no
         also=L2TP-PSK-common

conn L2TP-PSK-common
         # Use a Preshared Key. Disable Perfect Forward Secrecy.
         authby=secret
         pfs=no
         auto=add
         keyingtries=3
         # we cannot rekey for %any, let client rekey
         rekey=no
         # Apple iOS doesn't send delete notify so we need dead peer 
detection
         # to detect vanishing clients
         dpddelay=10
         dpdtimeout=30
         dpdaction=clear
         # Set ikelifetime and keylife to same defaults windows has
         ikelifetime=8h
         keylife=1h
         ikev2=never
         #ike = aes256-sha1-modp1024!
         # l2tp-over-ipsec is transport mode
         type=transport
         #
         # left will be filled in automatically with the local address 
of the default-route interface (as determined at IPsec startup time).
         left=%defaultroute
         #
         # For updated Windows 2000/XP clients,
         # to support old clients as well, use leftprotoport=17/%any
         leftprotoport=17/1701
         #
         # The remote user.
         #
         right=%any
         # Using the magic port of "%any" means "any one single port". 
This is
         # a work around required for Apple OSX clients that use a randomly
         # high port.
         rightprotoport=17/%any

This is a progress because people behind home NATs can connect, but I 
can't connect from remote location
work computer that is not behind NAT on the 193.198.186.218 address.

Thank you very much if you have an idea.

Kidn regards,
Mirsad Todorovac

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/dd115d71/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E0qW4b0RNTOw2CRV.png
Type: image/png
Size: 29130 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/dd115d71/attachment-0001.png>