[Swan] releasing old connection to free the route
litauer at uni-koblenz.de
Wed Jan 26 17:03:20 EET 2022
- libreswan.log - excerpt from syslog regarding the two connections from 18.104.22.168 and 22.214.171.124
- openswan.log - same using the older openswan server, which support to parallel connections
- libreswan-pluto.log - another try with plutodebug=control
- openswan-pluto.log - same using openswan
would be very nice of you could take a look?
> Am 25.01.2022 um 09:00 schrieb Christoph Litauer <litauer at uni-koblenz.de>:
> Paul, thanks a lot for your quick response.
> I checked the log. Indeed, the peer id is the native ip. We already had uniqueids=no but we are using PSK. According to the manpage this setting ist ignored when authby=secret is used.
> I should have mentioned, that the described behaviour belongs solely to windows clients (we think so, but did not check very hard).
> Today, I am not able to create a new test case on the openswan server, will do tomorrow. Here you can find libreswan.log and my ipsec.conf:
> Will upload an openswan.log as soon as we have it.
>> Am 24.01.2022 um 16:52 schrieb Paul Wouters <paul.wouters at aiven.io>:
>> On Mon, 24 Jan 2022, Christoph Litauer wrote:
>>> I use libreswan 3.29 on an Ubuntu 20.04.3 LTS.
>>> Until now we had a l2tp-setup using openswan 2.6.49 on an ubuntu 16.04.7. No problems, we had hundreds of users in parallel. Some of these users by accident use the same local ip address.
>>> For security we have to upgrade to Ubuntu 20 and thus had to change to libreswan. Setup is nearly identical. But now we have a serious problem: - User A uses local ip 192.168.55.45 behind NAT. Public IP is 126.96.36.199 - User B uses local ip 192.168.55.45 behind NAT. Public IP is 188.8.131.52
>>> A starts the tunnel. As soon es B starts his tunnel, the tunnel for A is terminated and vice versa.
>> Do they use a unique ID or are these clients that pick their native IP
>> as ID? If so, they would both share the same ID 192.168.55.45 and
>> libreswan would assume this is a reconnect. The libreswan behaviour
>> depends a bit on whether certs or PSKs are used.
>> You can try setting uniqueids=no in "config setup" because I believe
>> Windows clients do use their pre-NAT IP as the ID for l2tp.
>> A more modern solution would be to migrate to IKEv2 and avoid the
>> whole problem of transport mode and virtual-private= and L2TP
>> protocol overhead.
>> I would be interested in a full debug log of this event of a second
>> client connecting with both openswan and libreswan if you can, so
>> I can better understand the differece and if there is a libreswan
>> mitigation we can do.
> Freundliche Grüße
> Christoph Litauer
> Christoph Litauer
> Uni Koblenz, Rechenzentrum, Raum A 022
> Postfach 201602, 56016 Koblenz
> Fon: +49 261 287-1311, Fax: -100 1311
> Swan mailing list
> Swan at lists.libreswan.org
Uni Koblenz, Rechenzentrum, Raum A 022
Postfach 201602, 56016 Koblenz
Fon: +49 261 287-1311, Fax: -100 1311
More information about the Swan