[Swan] NoNAT connection not working from Windows 10 but works from wireless connected hosts (SOLVED)

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Fri Nov 26 19:15:01 EET 2021 

Dear Mr. Wouters,

After trying with our CARNet NOC people, they have changed something on 
firewalls and the L2TP-PSK-noNAT
configuration now works! I have filed the Windows 10 error 809 problem, 
and docs say it was most likely
the firewall or the interim network equipment, and it was ...

I have waster 5 days on this, it appears that ever since the connection 
started working in the café on their wireless
network and your rightsubnet=vhost:%no suggestion.

I apologize for all the inconvenience I caused you. Fortunately, there 
are not so many troubled admins on the
planet 😁.

I will now try if the IKEv2 with RSA connection was also bugged with our 
firewall. You have suggested that
IKEv1 L2TP with IPSEC and transport mode was deprecated, but I had to 
have something working to start with.

Thank you once again for all your help. You have been very supportive. I 
seem to have started to really like
libreswan. It has some excellent ideas for network FSAs to work.

Kind regards,
Mirsad Todorovac

On 11/26/2021 4:10 PM, Mirsad Goran Todorovac wrote:
>
> Dear Mr. Wouters,
>
> I have a problem with the setting you have given me, the 
> rightsubnet=vhost:%no .
>
> Description of the problem: the Windows 10 laptop connects over 
> wireless provider and my mobile phone
> hotspot, but it can't connect when I connect with the ethernet cable 
> from the same device.
>
> We have previously established that the client was unhappy with the 
> connection and sent a DELETE payload.
> But it happens on the same host, and only on noNAT traversal link.
>
> I have adjusted the setting in Windows registry to allow for mod2048p 
> negotiation:
>
> This is from the session log:
>
> Nov 26 15:17:38.293053: |  processing version=1.0 packet with exchange 
> type=ISAKMP_XCHG_INFO (5)
> Nov 26 15:17:38.293065: | peer and cookies match on #2; msgid=00000000 
> st_msgid=00000000 st_v1_msgid.phase15=00000000
> Nov 26 15:17:38.293083: | p15 state object #2 found, in STATE_MAIN_R3
> Nov 26 15:17:38.293091: | State DB: found IKEv1 state #2 in MAIN_R3 
> (find_v1_info_state)
> Nov 26 15:17:38.293127: | #2 is idle
> Nov 26 15:17:38.293139: | #2 idle
> Nov 26 15:17:38.293149: | received encrypted packet from 
> 193.198.186.218:500
> Nov 26 15:17:38.293181: | got payload 0x100  (ISAKMP_NEXT_HASH) 
> needed: 0x100 opt: 0x0
> Nov 26 15:17:38.293193: | ***parse ISAKMP Hash Payload:
> Nov 26 15:17:38.293203: |    next payload type: ISAKMP_NEXT_D (0xc)
> Nov 26 15:17:38.293214: |    length: 24 (00 18)
> Nov 26 15:17:38.293224: | got payload 0x1000  (ISAKMP_NEXT_D) needed: 
> 0x0 opt: 0x0
> Nov 26 15:17:38.293233: | ***parse ISAKMP Delete Payload:
> Nov 26 15:17:38.293242: |    next payload type: ISAKMP_NEXT_NONE (0x0)
> Nov 26 15:17:38.293254: |    length: 28 (00 1c)
> Nov 26 15:17:38.293282: |    DOI: ISAKMP_DOI_IPSEC (0x1)
> Nov 26 15:17:38.293294: |    protocol ID: 1 (01)
> Nov 26 15:17:38.293304: |    SPI size: 16 (10)
> Nov 26 15:17:38.293313: |    number of SPIs: 1 (00 01)
> Nov 26 15:17:38.293323: | removing 12 bytes of padding
> Nov 26 15:17:38.293358: |     result: newref clone-key at 0x5628841aa950 
> (20-bytes, SHA_1_HMAC)(init_symkey() +99 
> lib/libswan/ike_alg_prf_mac_nss_ops.c)
> Nov 26 15:17:38.293378: | HASH(1): delref clone-key at 0x5628841aa950
> Nov 26 15:17:38.293400: | informational HASH(1):
> Nov 26 15:17:38.293411: |   a3 ae c0 71  e0 09 c1 98  9e ee 6a 45  17 
> 99 2b e1   ...q......jE..+.
> Nov 26 15:17:38.293419: |   0e 90 98 
> b0                                          ....
> Nov 26 15:17:38.293428: | received 'informational' message HASH(1) data ok
> Nov 26 15:17:38.293436: | parsing 8 raw bytes of ISAKMP Delete Payload 
> into iCookie
> Nov 26 15:17:38.293445: | iCookie
> Nov 26 15:17:38.293452: |   80 e6 13 3b  a1 06 0e 
> bd                             ...;....
> Nov 26 15:17:38.293461: | parsing 8 raw bytes of ISAKMP Delete Payload 
> into rCookie
> Nov 26 15:17:38.293468: | rCookie
> Nov 26 15:17:38.293476: |   dc c9 09 4a  81 e0 35 
> 55                             ...J..5U
> Nov 26 15:17:38.293486: | State DB: found IKEv1 state #2 in MAIN_R3 
> (find_state_ikev1)
> Nov 26 15:17:38.293496: | del:
> Nov 26 15:17:38.293504: |
> Nov 26 15:17:38.293517: "L2TP-PSK-NAT"[1] 193.198.186.218 #2: received 
> Delete SA payload: self-deleting ISAKMP State #2
>
> My client (right) host is 193.198.186.218 on the subnet 
> 193.198.186.192/27, assigned via DHCP without NAT.
>
> My /etc/ipsec.d/l2tp-psk.conf looks like this:
>
> conn L2TP-PSK-NAT
>         rightsubnet=vhost:%priv
>         also=L2TP-PSK-common
>
> conn L2TP-PSK-noNAT
>         rightsubnet=vhost:%no
>         also=L2TP-PSK-common
>
> conn L2TP-PSK-common
>         # Use a Preshared Key. Disable Perfect Forward Secrecy.
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         # we cannot rekey for %any, let client rekey
>         rekey=no
>         # Apple iOS doesn't send delete notify so we need dead peer 
> detection
>         # to detect vanishing clients
>         dpddelay=10
>         dpdtimeout=30
>         dpdaction=clear
>         # Set ikelifetime and keylife to same defaults windows has
>         ikelifetime=8h
>         keylife=1h
>         ikev2=never
>         #ike = aes256-sha1-modp1024!
>         # l2tp-over-ipsec is transport mode
>         type=transport
>         #
>         # left will be filled in automatically with the local address 
> of the default-route interface (as determined at IPsec startup time).
>         left=%defaultroute
>         #
>         # For updated Windows 2000/XP clients,
>         # to support old clients as well, use leftprotoport=17/%any
>         leftprotoport=17/1701
>         #
>         # The remote user.
>         #
>         right=%any
>         # Using the magic port of "%any" means "any one single port". 
> This is
>         # a work around required for Apple OSX clients that use a randomly
>         # high port.
>         rightprotoport=17/%any
>
> This is a progress because people behind home NATs can connect, but I 
> can't connect from remote location
> work computer that is not behind NAT on the 193.198.186.218 address.
>
> Thank you very much if you have an idea.
>
> Kidn regards,
> Mirsad Todorovac
>
> -- 
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
> --
> CARNet system engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/2445ad8f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E0qW4b0RNTOw2CRV.png
Type: image/png
Size: 29130 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/2445ad8f/attachment-0001.png>

More information about the Swan mailing list