<div dir="ltr">Thank you Paul. I tried ikepad=no, it does not work.<div>Meanwhile, I tried to setup natt between two mathine running libreswan. It also failed, but probably for different reason.</div><div><br></div><div>The log files are here:</div><div><a href="https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0">https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0</a><br></div><div><a href="https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0">https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0</a><br></div><div><br></div><div>configs:</div><div>one side is nat'ed. 199.204.218.98 nat to 10.0.3.3</div><div><br></div><div>config setup<br></div><div><div> protostack=netkey</div><div> plutodebug=all</div><div> listen=10.0.3.3</div><div>conn conn_natt</div><div> authby=secret</div><div> left=10.0.3.3</div><div> right=199.204.217.159</div><div> ike=3des-md5;modp1024</div><div> phase2alg=3des-md5;modp1024</div><div> ikelifetime=28800s</div><div> salifetime=3600s</div><div> leftsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a></div><div> rightsubnet=<a href="http://10.0.1.0/24">10.0.1.0/24</a></div><div> type=tunnel</div><div> auto=start</div></div><div><br></div><div><br></div><div>on the peer:</div><div><div>config setup</div><div> protostack=netkey</div><div> plutodebug=all</div><div> listen=199.204.217.159</div><div>conn conn_vpn-5483483-tunnel</div><div> authby=secret</div><div> left=199.204.217.159</div><div> right=199.204.218.98</div><div> ike=3des-md5;modp1024</div><div> phase2alg=3des-md5;modp1024</div><div> ikelifetime=28800s</div><div> salifetime=3600s</div></div><div><div>conn conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24</div><div> also=conn_vpn-5483483-tunnel</div><div> leftsubnet=<a href="http://10.0.1.0/24">10.0.1.0/24</a></div><div> rightsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a></div><div> type=tunnel</div><div> auto=start</div></div><div><br></div><div>Some errors I saw are:</div><div>
<p class="gmail-p1"><span class="gmail-s1">reapchild failed with errno=10 No child processes</span></p><p class="gmail-p1"><span class="gmail-s1">Apr 7 12:14:07 xenial33 pluto[5964]: | NAT-Traversal: Trying new style NAT-T</span></p><p class="gmail-p1"><span class="gmail-s1">
</span></p><p class="gmail-p1">Apr 7 12:14:07 xenial33 pluto[5964]: | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)<br></p><p class="gmail-p1"><span class="gmail-s1">Apr 7 12:14:07 xenial33 pluto[5964]: | SPI size: 0 (0x0)</span></p><p class="gmail-p1">
</p><p class="gmail-p1"><span class="gmail-s1">Apr 7 12:14:07 xenial33 pluto[5964]: | Notify Message Type: INVALID_ID_INFORMATION (0x12)</span></p><p class="gmail-p1"><span class="gmail-s1">...</span></p><p class="gmail-p1"><span class="gmail-s1"><br></span></p><p class="gmail-p1"><span class="gmail-s1">Thanks<br>Xinwei</span></p><p class="gmail-p1"><span class="gmail-s1"><br></span></p><p class="gmail-p1"><span class="gmail-s1"><br></span></p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 2, 2017 at 3:12 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, 31 Mar 2017, Xinwei Hong wrote:<br>
<br>
You can try ikepad=no<br>
<br>
Other then that, I don't understand what's wrong with racoon.<br>
<br>
Paul<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Date: Fri, 31 Mar 2017 18:59:18<br>
From: Xinwei Hong <<a href="mailto:xhong@skytap.com" target="_blank">xhong@skytap.com</a>><br>
Cc: <a href="mailto:swan@lists.libreswan.org" target="_blank">swan@lists.libreswan.org</a><br>
To: Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>><br>
Subject: Re: [Swan] libreswan/racoon interoperability problem with NAT-T<div><div class="h5"><br>
<br>
Thank you Paul.<br>
I added "compress=yes", seems not help. Compression_algorithm is only used in phase 2, right? The<br>
failure here is phase 1. Firewall does not like the issue either because packet on UDP 4500 can be seen<br>
on both end.<br>
<br>
I have attached racoon log file. I see:<br>
<br>
invalid length of payload<br>
<br>
ERROR: phase1 negotiation failed due to time up. 8c6688cabaaf90ca:a8d8758b59948<wbr>609<br>
<br>
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.2.128.240[0]->10.0.0.1[0]<br>
<br>
<br>
Thanks,<br>
Xinwei<br>
<br>
<br>
On Fri, Mar 31, 2017 at 1:53 PM, Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br>
On Thu, 30 Mar 2017, Xinwei Hong wrote:<br>
<br>
[moderator note: please next time post a pointer to a "pastebin" of the<br>
log instead of included large log files]<br>
<br>
I have a VPN setup between libreswan (pluto+netkey) and a racoon<br>
(racoon+netkey), the racoon is behind a NAT device. The negotiation somehow<br>
failed saying that "NAT-D payload #0 doesn't<br>
match"<br>
<br>
<br>
There is not a NAT payload error. Your device has more then one IP<br>
address, and it is trying to calculate the payload for both your<br>
IP addresses. It notes that 10.0.0.1 does not match. But it also<br>
notes that 10.2.128.240 works fine.<br>
<br>
Your actual problem is:<br>
<br>
Mar 30 19:47:02 vvr-10 pluto[24271]: vvr-0:<br>
"conn_vvr-0-ipsectunnel-0-remo<wbr>te-0" #1246: max number of retransmissions<br>
(8) reached STATE_MAIN_I3. Possible authentication failure: no<br>
acceptable response to our first encrypted message<br>
<br>
Your racoon logs will likely have more information in it then your<br>
libreswan log, as racoon is the party rejecting the packet.<br>
<br>
conn conn_vvr-0-ipsectunnel-0<br>
authby=secret<br>
left=10.2.128.240<br>
right=10.2.128.241<br>
ike=3des-sha1;modp1024<br>
phase2alg=3des-sha1;modp1024<br>
leftsubnet=<a href="http://10.100.0.0/24" rel="noreferrer" target="_blank">10.100.0.0/24</a><br>
rightsubnet=<a href="http://10.100.1.0/24" rel="noreferrer" target="_blank">10.100.1.0/24</a><br>
<br>
<br>
on racoon, we have racoon.conf<br>
# Phase 1 (Main Mode) Configuration<br>
remote 10.2.128.240 {<br>
exchange_mode main;<br>
proposal_check obey;<br>
lifetime time 28800 seconds;<br>
nat_traversal on;<br>
#script "phase1-up.sh" phase1_up;<br>
#script "phase1-down.sh" phase1_down;<br>
dpd_delay 15; dpd_retry 5; dpd_maxfail 5;<br>
proposal {<br>
encryption_algorithm 3des;<br>
hash_algorithm sha1;<br>
dh_group modp1024;<br>
authentication_method pre_shared_key;<br>
}<br>
}<br>
<br>
# Phase 2 (Quick Mode) Configuration/Proposal (for IPsec SA).<br>
sainfo anonymous {<br>
encryption_algorithm 3des;<br>
authentication_algorithm hmac_sha1;<br>
pfs_group modp1024;<br>
lifetime time 3600 seconds;<br>
compression_algorithm deflate;<br>
}<br>
<br>
<br>
The only mismatch I see is for compression. You can try and removing the<br>
compression line from racoon, or adding compress=yes to libreswan.<br>
<br>
Mar 30 19:47:52 testhost-601-1 racoon: ERROR: phase1 negotiation failed due to<br>
time up. 80b77211a2f1ddba:141872152ca77<wbr>72f<br>
<br>
<br>
This is odd. Another possibility is that you have firewalled UDP 4500<br>
and so the NAT switching from UDP 500 to UDP 4500 is failing?<br>
<br>
Paul<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br></div>