[Swan] NoNAT connection not working from Windows 10 but works from wireless connected hosts (SOLVED)
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Fri Nov 26 19:15:01 EET 2021
Dear Mr. Wouters,
After trying with our CARNet NOC people, they have changed something on
firewalls and the L2TP-PSK-noNAT
configuration now works! I have filed the Windows 10 error 809 problem,
and docs say it was most likely
the firewall or the interim network equipment, and it was ...
I have waster 5 days on this, it appears that ever since the connection
started working in the café on their wireless
network and your rightsubnet=vhost:%no suggestion.
I apologize for all the inconvenience I caused you. Fortunately, there
are not so many troubled admins on the
planet 😁.
I will now try if the IKEv2 with RSA connection was also bugged with our
firewall. You have suggested that
IKEv1 L2TP with IPSEC and transport mode was deprecated, but I had to
have something working to start with.
Thank you once again for all your help. You have been very supportive. I
seem to have started to really like
libreswan. It has some excellent ideas for network FSAs to work.
Kind regards,
Mirsad Todorovac
On 11/26/2021 4:10 PM, Mirsad Goran Todorovac wrote:
>
> Dear Mr. Wouters,
>
> I have a problem with the setting you have given me, the
> rightsubnet=vhost:%no .
>
> Description of the problem: the Windows 10 laptop connects over
> wireless provider and my mobile phone
> hotspot, but it can't connect when I connect with the ethernet cable
> from the same device.
>
> We have previously established that the client was unhappy with the
> connection and sent a DELETE payload.
> But it happens on the same host, and only on noNAT traversal link.
>
> I have adjusted the setting in Windows registry to allow for mod2048p
> negotiation:
>
> This is from the session log:
>
> Nov 26 15:17:38.293053: | processing version=1.0 packet with exchange
> type=ISAKMP_XCHG_INFO (5)
> Nov 26 15:17:38.293065: | peer and cookies match on #2; msgid=00000000
> st_msgid=00000000 st_v1_msgid.phase15=00000000
> Nov 26 15:17:38.293083: | p15 state object #2 found, in STATE_MAIN_R3
> Nov 26 15:17:38.293091: | State DB: found IKEv1 state #2 in MAIN_R3
> (find_v1_info_state)
> Nov 26 15:17:38.293127: | #2 is idle
> Nov 26 15:17:38.293139: | #2 idle
> Nov 26 15:17:38.293149: | received encrypted packet from
> 193.198.186.218:500
> Nov 26 15:17:38.293181: | got payload 0x100 (ISAKMP_NEXT_HASH)
> needed: 0x100 opt: 0x0
> Nov 26 15:17:38.293193: | ***parse ISAKMP Hash Payload:
> Nov 26 15:17:38.293203: | next payload type: ISAKMP_NEXT_D (0xc)
> Nov 26 15:17:38.293214: | length: 24 (00 18)
> Nov 26 15:17:38.293224: | got payload 0x1000 (ISAKMP_NEXT_D) needed:
> 0x0 opt: 0x0
> Nov 26 15:17:38.293233: | ***parse ISAKMP Delete Payload:
> Nov 26 15:17:38.293242: | next payload type: ISAKMP_NEXT_NONE (0x0)
> Nov 26 15:17:38.293254: | length: 28 (00 1c)
> Nov 26 15:17:38.293282: | DOI: ISAKMP_DOI_IPSEC (0x1)
> Nov 26 15:17:38.293294: | protocol ID: 1 (01)
> Nov 26 15:17:38.293304: | SPI size: 16 (10)
> Nov 26 15:17:38.293313: | number of SPIs: 1 (00 01)
> Nov 26 15:17:38.293323: | removing 12 bytes of padding
> Nov 26 15:17:38.293358: | result: newref clone-key at 0x5628841aa950
> (20-bytes, SHA_1_HMAC)(init_symkey() +99
> lib/libswan/ike_alg_prf_mac_nss_ops.c)
> Nov 26 15:17:38.293378: | HASH(1): delref clone-key at 0x5628841aa950
> Nov 26 15:17:38.293400: | informational HASH(1):
> Nov 26 15:17:38.293411: | a3 ae c0 71 e0 09 c1 98 9e ee 6a 45 17
> 99 2b e1 ...q......jE..+.
> Nov 26 15:17:38.293419: | 0e 90 98
> b0 ....
> Nov 26 15:17:38.293428: | received 'informational' message HASH(1) data ok
> Nov 26 15:17:38.293436: | parsing 8 raw bytes of ISAKMP Delete Payload
> into iCookie
> Nov 26 15:17:38.293445: | iCookie
> Nov 26 15:17:38.293452: | 80 e6 13 3b a1 06 0e
> bd ...;....
> Nov 26 15:17:38.293461: | parsing 8 raw bytes of ISAKMP Delete Payload
> into rCookie
> Nov 26 15:17:38.293468: | rCookie
> Nov 26 15:17:38.293476: | dc c9 09 4a 81 e0 35
> 55 ...J..5U
> Nov 26 15:17:38.293486: | State DB: found IKEv1 state #2 in MAIN_R3
> (find_state_ikev1)
> Nov 26 15:17:38.293496: | del:
> Nov 26 15:17:38.293504: |
> Nov 26 15:17:38.293517: "L2TP-PSK-NAT"[1] 193.198.186.218 #2: received
> Delete SA payload: self-deleting ISAKMP State #2
>
> My client (right) host is 193.198.186.218 on the subnet
> 193.198.186.192/27, assigned via DHCP without NAT.
>
> My /etc/ipsec.d/l2tp-psk.conf looks like this:
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-common
>
> conn L2TP-PSK-noNAT
> rightsubnet=vhost:%no
> also=L2TP-PSK-common
>
> conn L2TP-PSK-common
> # Use a Preshared Key. Disable Perfect Forward Secrecy.
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> # we cannot rekey for %any, let client rekey
> rekey=no
> # Apple iOS doesn't send delete notify so we need dead peer
> detection
> # to detect vanishing clients
> dpddelay=10
> dpdtimeout=30
> dpdaction=clear
> # Set ikelifetime and keylife to same defaults windows has
> ikelifetime=8h
> keylife=1h
> ikev2=never
> #ike = aes256-sha1-modp1024!
> # l2tp-over-ipsec is transport mode
> type=transport
> #
> # left will be filled in automatically with the local address
> of the default-route interface (as determined at IPsec startup time).
> left=%defaultroute
> #
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> # Using the magic port of "%any" means "any one single port".
> This is
> # a work around required for Apple OSX clients that use a randomly
> # high port.
> rightprotoport=17/%any
>
> This is a progress because people behind home NATs can connect, but I
> can't connect from remote location
> work computer that is not behind NAT on the 193.198.186.218 address.
>
> Thank you very much if you have an idea.
>
> Kidn regards,
> Mirsad Todorovac
>
> --
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
> --
> CARNet system engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/2445ad8f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E0qW4b0RNTOw2CRV.png
Type: image/png
Size: 29130 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211126/2445ad8f/attachment-0001.png>
More information about the Swan
mailing list