<div dir="ltr"><div>Finally my XAUTH configuration is working, however now I find myself stuck on a NAT issue. I moved to Libreswan largely because of the rightaddresspool options and because using XAUTH should support having multiple clients behind the same NAT. Now I can't get that to work though, I have two clients - I can connect the first successfully with user "pontus", I can ping everything on the inside and it works perfectly however as soon as one more client connects (user "andre") .. all tunnels to that IP break, they do not disconnect but there is no connectivity anywhere. Sometimes, although few, the new client will stay connected and his tunnel will continue to work but the old client will still be without connectivity. </div>
<div><br></div><div><b>ipsec status</b></div><div><br></div><div><br></div><div>000 #9: "roadwarrior"[2] <a href="http://176.71.208.160:43070">176.71.208.160:43070</a> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3529s; newest IPSEC; eroute owner; isakmp#8; idle; import:not set</div>
<div>000 #9: "roadwarrior"[2] 176.71.208.160 <a href="mailto:esp.30fab882@176.71.208.160">esp.30fab882@176.71.208.160</a> <a href="mailto:esp.96bed41e@10.1.31.5">esp.96bed41e@10.1.31.5</a> <a href="mailto:tun.0@176.71.208.160">tun.0@176.71.208.160</a> <a href="mailto:tun.0@10.1.31.5">tun.0@10.1.31.5</a> ref=0 refhim=4294901761 Traffic: ESPin=960B ESPout=1KB! ESPmax=4194303B XAUTHuser=pontus</div>
<div>000 #8: "roadwarrior"[2] <a href="http://176.71.208.160:43070">176.71.208.160:43070</a> STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 86322s; newest ISAKMP; lastdpd=2s(seq in:0 out:0); idle; import:not set</div>
<div>000 #11: "roadwarrior"[3] <a href="http://176.71.208.160:43337">176.71.208.160:43337</a> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3555s; newest IPSEC; eroute owner; isakmp#10; idle; import:not set</div>
<div>000 #11: "roadwarrior"[3] 176.71.208.160 <a href="mailto:esp.d668ea4c@176.71.208.160">esp.d668ea4c@176.71.208.160</a> <a href="mailto:esp.4f0836e7@10.1.31.5">esp.4f0836e7@10.1.31.5</a> <a href="mailto:tun.0@176.71.208.160">tun.0@176.71.208.160</a> <a href="mailto:tun.0@10.1.31.5">tun.0@10.1.31.5</a> ref=0 refhim=4294901761 Traffic: ESPin=1KB ESPout=540B! ESPmax=4194303B XAUTHuser=andre</div>
<div>000 #10: "roadwarrior"[3] <a href="http://176.71.208.160:43337">176.71.208.160:43337</a> STATE_MODE_CFG_R1 (ModeCfg Set sent, expecting Ack); EVENT_SA_EXPIRE in 86344s; newest ISAKMP; lastdpd=10s(seq in:0 out:0); idle; import:not set</div>
<div><br></div><div><br></div><div><b>ipsec.conf</b></div><div><div> </div><div><div>config setup</div><div> # Do not set debug options to debug configuration issues!</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div>
<div> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div><div> # eg:</div><div> plutodebug="all crypt"</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div>
<div> #</div><div> # enable to get logs per-peer</div><div> # plutoopts="--perpeerlog"</div><div> #</div><div> # Enable core dumps (might require system changes, like ulimit -C)</div>
<div> # This is required for abrtd to work properly</div><div> # Note: incorrect SElinux policies might prevent pluto writing the core</div><div> dumpdir=/var/run/pluto/</div><div> #</div><div>
# NAT-TRAVERSAL support, see README.NAT-Traversal</div><div> nat_traversal=yes</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> # It seems that T-Mobile in the US and Rogers/Fido in Canada are</div>
<div> # using 25/8 as "private" address space on their 3G network.</div><div> # This range has not been announced via BGP (at least upto 2010-12-21)</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
<div> # OE is now off by default. Uncomment and change to on, to enable.</div><div> oe=off</div><div> # which IPsec stack to use. auto will try netkey, then klips then mast</div><div> protostack=netkey</div>
<div> # Use this to log to a file, or disable logging on embedded systems (like openwrt)</div></div><div><div> plutostderrlog=/var/log/pluto.log</div><div> uniqueids=yes</div></div><div><br></div><div>
conn roadwarrior<br></div><div><div> left=10.1.31.5</div><div> leftid=54.255.206.227</div><div> authby=secret</div><div> leftxauthserver=yes</div></div><div> leftsubnet=<a href="http://10.1.31.0/24">10.1.31.0/24</a></div>
<div> right=%any</div><div> rightid=%any</div><div> rightaddresspool=192.168.224.5-192.168.224.100</div><div> rightxauthclient=yes</div><div> leftmodecfgserver=yes</div><div> rightmodecfgclient=yes</div>
<div> modecfgpull=yes</div><div> modecfgdns1=8.8.8.8</div><div> xauthby=file</div><div> pfs=no</div><div> rekey=no</div><div> auto=add</div></div><div><br></div><div><br></div><div>
<b>plutodebug all</b></div><div><br></div><div><div><div><div>"roadwarrior"[3] 176.71.208.160 #6: the peer proposed: <a href="http://10.1.31.0/24:0/0">10.1.31.0/24:0/0</a> -> <a href="http://192.168.224.6/32:0/0">192.168.224.6/32:0/0</a></div>
<div>| find_client_connection starting with roadwarrior</div><div>| looking for <a href="http://10.1.31.0/24:0/0">10.1.31.0/24:0/0</a> -> <a href="http://192.168.224.6/32:0/0">192.168.224.6/32:0/0</a></div><div>| concrete checking against sr#0 <a href="http://10.1.31.0/24">10.1.31.0/24</a> -> <a href="http://192.168.224.6/32">192.168.224.6/32</a></div>
<div>| match_id a=172.20.10.3</div><div>| b=172.20.10.3</div><div>| results matched</div><div>| trusted_ca called with a=(empty) b=(empty)</div><div>| fc_try trying roadwarrior:<a href="http://10.1.31.0/24:0/0">10.1.31.0/24:0/0</a> -> <a href="http://192.168.224.6/32:0/0">192.168.224.6/32:0/0</a> vs roadwarrior:<a href="http://10.1.31.0/24:0/0">10.1.31.0/24:0/0</a> -> <a href="http://192.168.224.6/32:0/0">192.168.224.6/32:0/0</a></div>
<div>| match_id a=172.20.10.3</div><div>| b=172.20.10.5</div><div>| results fail</div><div>| fc_try concluding with roadwarrior [128]</div><div>| fc_try roadwarrior gives roadwarrior</div><div>| concluding with d = roadwarrior</div>
<div>| client wildcard: no port wildcard: no virtual: no</div><div>| NAT-Traversal: received 0 NAT-OA.</div><div>| duplicating state object #6</div><div>| creating state object #7 at 0x7f19e64a5560</div><div>| processing connection roadwarrior[3] 176.71.208.160</div>
</div><div>| NAT-T RFC: Installing IPsec SA with ENCAP, st->hidden_variables.st_nat_traversal is RFC 3947 (NAT-Traversal)+I am behind NAT+peer behind NAT<br></div><div>"roadwarrior"[3] 176.71.208.160 #7: responding to Quick Mode proposal {msgid:a49f2abd}</div>
<div>"roadwarrior"[3] 176.71.208.160 #7: us: <a href="http://10.1.31.0/24===10.1.31.5">10.1.31.0/24===10.1.31.5</a><10.1.31.5>[54.255.206.227,MS+XS+S=C]</div><div>"roadwarrior"[3] 176.71.208.160 #7: them: 176.71.208.160[172.20.10.3,+MC+XC+S=C]===<a href="http://192.168.224.6/32">192.168.224.6/32</a></div>
</div><div>| install_ipsec_sa() for #7: outbound only</div><div>| route owner of "roadwarrior"[3] 176.71.208.160 unrouted: NULL; eroute owner: NULL</div><div>| could_route called for roadwarrior (kind=CK_INSTANCE)</div>
<div>| sr for #7: unrouted</div><div>| route owner of "roadwarrior"[3] 176.71.208.160 unrouted: NULL; eroute owner: NULL</div><div>| route_and_eroute with c: roadwarrior (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 7</div>
<div>| eroute_connection add eroute <a href="http://10.1.31.0/24:0">10.1.31.0/24:0</a> --0-> <a href="http://192.168.224.6/32:0">192.168.224.6/32:0</a> => <a href="mailto:tun.0@176.71.208.160">tun.0@176.71.208.160</a> (raw_eroute)</div>
<div>| satype(9) is not used in netlink_raw_eroute.</div><div>| raw_eroute result=1</div><div>| command executing up-client</div><div>| executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1</div>
<div>| popen cmd is 916 chars long</div><div>| cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' PLUTO_:</div><div>| cmd( 80):INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO_MY_I:</div>
<div>| cmd( 160):D='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='<a href="http://10.1.31.0">10.1.31.0</a>:</div><div>| cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P:</div>
<div>| cmd( 320):LUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PL:</div><div>| cmd( 400):UTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUTO_P:</div>
<div>| cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL:</div><div>| cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT:</div>
<div>| cmd( 640):_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CONN_ADD:</div><div>| cmd( 720):RFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_CISCO=:</div>
<div>| cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_:</div><div>| cmd( 880):NM_CONFIGURED='0' ipsec _updown 2>&1:</div><div>| route_and_eroute: firewall_notified: true</div>
<div>| command executing prepare-client</div><div>| executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1</div>
<div>| popen cmd is 921 chars long</div><div>| cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' P:</div><div>| cmd( 80):LUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO:</div>
<div>| cmd( 160):_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='10.1:</div><div>| cmd( 240):.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=:</div>
<div>| cmd( 320):'0' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='<a href="http://172.20.10.">172.20.10.</a>:</div><div>| cmd( 400):3' PLUTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PL:</div>
<div>| cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=':</div><div>| cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL:</div>
<div>| cmd( 640):+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CON:</div><div>| cmd( 720):N_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_C:</div>
<div>| cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P:</div><div>| cmd( 880):LUTO_NM_CONFIGURED='0' ipsec _updown 2>&1:</div><div>
| command executing route-client</div><div>| executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO_MY_ID='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='10.1.31.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3' PLUTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown 2>&1</div>
<div>| popen cmd is 919 chars long</div><div>| cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior' PLU:</div><div>| cmd( 80):TO_INTERFACE='eth0' PLUTO_NEXT_HOP='176.71.208.160' PLUTO_ME='10.1.31.5' PLUTO_M:</div>
<div>| cmd( 160):Y_ID='54.255.206.227' PLUTO_MY_CLIENT='<a href="http://10.1.31.0/24">10.1.31.0/24</a>' PLUTO_MY_CLIENT_NET='10.1.3:</div><div>| cmd( 240):1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0:</div>
<div>| cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_PEER='176.71.208.160' PLUTO_PEER_ID='172.20.10.3':</div><div>| cmd( 400): PLUTO_PEER_CLIENT='<a href="http://192.168.224.6/32">192.168.224.6/32</a>' PLUTO_PEER_CLIENT_NET='192.168.224.6' PLUT:</div>
<div>| cmd( 480):O_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0':</div><div>| cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+D:</div>
<div>| cmd( 640):ONT_REKEY+XAUTH+MODECFG_PULL+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW' PLUTO_CONN_:</div><div>| cmd( 720):ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME='andre' PLUTO_IS_PEER_CIS:</div>
<div>| cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU:</div><div>| cmd( 880):TO_NM_CONFIGURED='0' ipsec _updown 2>&1:</div><div>| route_and_eroute: instance "roadwarrior"[3] 176.71.208.160, setting eroute_owner {spd=0x7f19e64a3e00,sr=0x7f19e64a3e00} to #7 (was #0) (newest_ipsec_sa=#0)</div>
<div>| inI2: instance roadwarrior[3], setting newest_ipsec_sa to #7 (was #0) (spd.eroute=#7)</div><div>| complete state transition with STF_OK</div><div>"roadwarrior"[3] 176.71.208.160 #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div>
<div>| deleting event for #7</div><div>| inserting event EVENT_SA_EXPIRE, timeout in 3600 seconds for #7</div><div>| event added after event EVENT_REINIT_SECRET</div><div>| NAT-T: their IKE port is '500'</div><div>
| NAT-T: forceencaps is 'disabled'</div><div>"roadwarrior"[3] 176.71.208.160 #7: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x2ac96c18 <0x5b22fabb xfrm=AES_256-HMAC_MD5 NATOA=none NATD=<a href="http://176.71.208.160:43337">176.71.208.160:43337</a> DPD=passive XAUTHuser=andre}</div>
<div>| modecfg pull: quirk-poll policy:pull not-client</div><div>| phase 1 is done, looking for phase 2 to unpend</div><div>| * processed 0 messages from cryptographic helpers</div><div>| next event EVENT_NAT_T_KEEPALIVE in 13 seconds</div>
<div>| next event EVENT_NAT_T_KEEPALIVE in 13 seconds</div></div><div><div dir="ltr"><table align="left" border="0" cellpadding="0" cellspacing="0" width="100%" style="border-collapse:collapse;color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium">
<tbody><tr><td valign="top" style="padding:9px 0px 7px;color:rgb(65,64,65);font-family:Arial;font-size:11px;line-height:14px"><p style="margin:1em 0px;padding:0px;font-size:12px;line-height:16px"></p></td></tr><tr><td>Happy to provide more information if needed :)<br>
<br>thanks,<br>Pontus</td></tr><tr><td> </td></tr></tbody></table></div></div>
</div>