<div dir="ltr">I am testing a VPN behind of a NAT gateway. I tried libreswan 3.15 and 3.17 with same configuration. 3.15 succeeds, but 3.17 fails. <div><br></div><div>Here is ipsec.conf of the VPN endpoint behind NAT</div><div><br></div><div><div>config setup</div><div> protostack=klips</div><div> interfaces="ipsec0=eth0"</div><div>conn vpn-0</div><div> authby=secret</div><div> auto=start</div><div> left=<local ip></div><div> leftid=<vpn peer ip public></div><div> right=<vpn remote peer ip></div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> ike=3des-sha1;modp1024</div><div> phase2alg=3des-sha1;modp1024</div><div> ikelifetime=28800s</div><div> salifetime=3600s</div><div> leftupdown=/var/run/updown.klips</div><div> dpddelay=15</div><div> dpdtimeout=25</div><div> dpdaction=hold</div><div><br></div><div>Then I run ipsec verify, and get</div><div><div>Version check and ipsec on-path [OK]</div><div>Libreswan 3.17 (klips) on 3.13.0-79-generic</div><div>Checking for IPsec support in kernel [OK]</div><div> KLIPS: checking for NAT Traversal support [OK]</div><div> KLIPS: checking for OCF crypto offload support [N/A]</div><div> KLIPS: IPsec SAref kernel support [N/A]</div><div> KLIPS: IPsec SAref Bind kernel support [N/A]</div><div>Pluto ipsec.conf syntax [OK]</div><div>Hardware random device [N/A]</div><div>Two or more interfaces found, checking IP forwarding [OK]</div><div>Checking rp_filter [OK]</div><div>Checking that pluto is running [OK]</div><div> Pluto listening for IKE on udp 500 [OK]</div><div> Pluto listening for IKE/NAT-T on udp 4500 [OK]</div><div> Pluto ipsec.secret syntax [OK]</div><div>Checking 'ip' command [OK]</div><div>Checking 'iptables' command [OK]</div><div>Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]</div><div>Opportunistic Encryption [DISABLED]</div></div><div><br></div><div>Looks OK. Then I ran ipsec status, I got</div><div><br></div><div><div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div><div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div><div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div><div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,2112} attrs={0,2,1408}</div><div>000</div><div>000 Connection list:</div><div>000</div><div>000 "vpn-0": <a href="http://0.0.0.0/0===10.0.0.1">0.0.0.0/0===10.0.0.1</a><10.0.0.1>[10.2.128.241]...10.2.128.240<10.2.128.240>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0</div><div>000 "vpn-0": oriented; my_ip=unset; their_ip=unset; myup=/var/run/updown.klips</div><div>000 "vpn-0": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</div><div>000 "vpn-0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;</div><div>000 "vpn-0": labeled_ipsec:no;</div><div>000 "vpn-0": policy_label:unset;</div><div>000 "vpn-0": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "vpn-0": retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "vpn-0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;</div><div>000 "vpn-0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "vpn-0": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;</div><div>000 "vpn-0": dpd: action:hold; delay:15; timeout:75; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both</div><div>000 "vpn-0": newest ISAKMP SA: #1; newest IPsec SA: #0;</div><div>000 "vpn-0": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)</div><div>000 "vpn-0": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div><div>000 "vpn-0": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div><div>000 "vpn-0": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2)</div><div>000 "vpn-0": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000</div><div>000</div><div>000 Total IPsec connections: loaded 1, active 0</div><div>000</div><div>000 State Information: DDoS cookies not required, Accepting new IKE connections</div><div>000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)</div><div>000 IPsec SAs: total(1), authenticated(1), anonymous(0)</div><div>000</div><div>000 #2: "vpn-0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); <span style="background-color:rgb(255,255,0)">EVENT_CRYPTO_FAILED</span> in 54s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000 #1: "vpn-0":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27801s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000</div><div>000 Bare Shunt list:</div><div>000</div></div><div><br></div><div><br></div><div>When I generate some traffic from remote peer, tcpdump shows the encapsulated packet goes to the ipsec0 interface, but not decapped. </div><div><br></div><div>I was wondering if there is any change from 3.15 to 3.17 which makes my ipsec.conf not working anymore.</div><div><br></div><div>Thanks for any suggestions and helps.</div><div><br></div><div>Toby</div><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Ge (Toby) Xu<br></div>
</div></div>