Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
On 11/02/16 15:48, Matt Rogers wrote: You should try adding DPD settings to your config. Specifically dpdaction=restart which will try to renegotiate if there's an interruption that goes past the dpdtimeout value. Hi Matt, Great, thanks. Yes that seems to do it, I added this 20 hours ago and the link has been working since then, I can see from the logs that it has restarted it a few times. I wonder why it is not mentioned in the setup examples on libreswan.org, but maybe it is mostly an issue if you are behind double nat setup like we are. /Jacob. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Hi,
I really hope we can get some help, we are trying to set up a
subnet-to-subnet Libreswan based IPSEC connection between two sites of
ours. But we are having problems with it, we can get it to startup and
working for a while (time varies from few minutes to hours). I hope
someone will help review the config and log and come with suggestions.
First a simple network diagram of the setup can be seen here:
https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
I figure that might make it easier to understand the setup. As you can
see we operate with two private subnets on each side. Below are librewan
config from left and right side (just edited so the public IP is not
visible and not the entire key):
LEFT:
--- BEGIN ---
conn adsubnets
also=sj-dtu-tunnel
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.253
rightsubnet=172.16.0.0/24
rightsourceip=172.16.0.253
forceencaps=yes
nat-keepalive=yes
conn sj-dtu-tunnel
leftid=@SJ
left=192.168.3.212
leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
rightid=@DTU
right=77.X.X.X
rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
authby=rsasig
# load and initiate automatically
auto=start
--- END ---
The default gw of this machine is 192.168.3.254
RIGHT:
--- BEGIN ---
conn adsubnets
also=sj-dtu-tunnel
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.253
rightsubnet=172.16.0.0/24
rightsourceip=172.16.0.253
forceencaps=yes
nat-keepalive=yes
conn sj-dtu-tunnel
leftid=@SJ
left=70.X.X.X
leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
rightid=@DTU
right=192.168.13.238
rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
authby=rsasig
# load and initiate automatically
auto=start
--- END ---
The default gw of this machine is 192.168.13.254
We have made iptables rules so UDP ports 4500 and 500 can pass all the
way, of course both ways. Both ipsec routers are running Centos7, and we
have installed your latest version 3.16-1 (we first tried with 3.15
which ships with CentOS, had same failure with that.
Below is some log from the left side machine, where I have included
lines from around where it stops working and starts working again. We
monitor with ping when it stops working, and it is not because the
internet connection between the two sides are unavailable.
Anything we are missing? Any input will be highly appreciated.
Also please let me know if you need more information from me.
Thanks.
Best Regards
Jacob Vind.
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating
Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=
77.X.X.X:4500 DPD=passive}
Feb 9 13:32 PING TO OTHER SIDE STOPS RESPONDING
Feb 9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=
77.X.X.X:4500 DPD=passive}
Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating
Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=
77.X.X.X:4500 DPD=passive}
Feb 9 21:12 PING TO OTHER SIDE STARTS RESPONDING
Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Jacob,
I have a similar and working setup using Libreswan/Ubuntu. The main
difference is that I have the tunnels working peer-to-peer rather than
subnet-to-subnet and it may be worth your while testing and proving the
peer to peer case before moving to the subnet-to-subnet case.
Otherwise, I can only see two differences in the configuration:
1. You have used left/rightsourceip while I have not (probably not
significant).
2.In my case I have an asymmetric tunnel establishment i.e. one side
is "auto=add". This may be significant when it comes to the NAT
gateways. The passive side also has a dpdaction of clear.
The NAT gateways are also set up to forward all incoming port 500/4500
UDP to the secure gateways.
Good luck
Tony Whyman
On 11/02/16 12:59, Jacob Vind wrote:
Hi,
I really hope we can get some help, we are trying to set up a
subnet-to-subnet Libreswan based IPSEC connection between two sites of
ours. But we are having problems with it, we can get it to startup and
working for a while (time varies from few minutes to hours). I hope
someone will help review the config and log and come with suggestions.
First a simple network diagram of the setup can be seen here:
https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
I figure that might make it easier to understand the setup. As you can
see we operate with two private subnets on each side. Below are
librewan config from left and right side (just edited so the public IP
is not visible and not the entire key):
LEFT:
--- BEGIN ---
conn adsubnets
also=sj-dtu-tunnel
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.253
rightsubnet=172.16.0.0/24
rightsourceip=172.16.0.253
forceencaps=yes
nat-keepalive=yes
conn sj-dtu-tunnel
leftid=@SJ
left=192.168.3.212
leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
rightid=@DTU
right=77.X.X.X
rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
authby=rsasig
# load and initiate automatically
auto=start
--- END ---
The default gw of this machine is 192.168.3.254
RIGHT:
--- BEGIN ---
conn adsubnets
also=sj-dtu-tunnel
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.253
rightsubnet=172.16.0.0/24
rightsourceip=172.16.0.253
forceencaps=yes
nat-keepalive=yes
conn sj-dtu-tunnel
leftid=@SJ
left=70.X.X.X
leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
rightid=@DTU
right=192.168.13.238
rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
authby=rsasig
# load and initiate automatically
auto=start
--- END ---
The default gw of this machine is 192.168.13.254
rightsourceip
We have made iptables rules so UDP ports 4500 and 500 can pass all the
way, of course both ways. Both ipsec routers are running Centos7, and
we have installed your latest version 3.16-1 (we first tried with 3.15
which ships with CentOS, had same failure with that.
Below is some log from the left side machine, where I have included
lines from around where it stops working and starts working again. We
monitor with ping when it stops working, and it is not because the
internet connection between the two sides are unavailable.
Anything we are missing? Any input will be highly appreciated.
Also please let me know if you need more information from me.
Thanks.
Best Regards
Jacob Vind.
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating
Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD= 77.X.X.X:4500 DPD=passive}
Feb 9 13:32 PING TO OTHER SIDE STOPS RESPONDING
Feb 9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD= 77.X.X.X:4500 DPD=passive}
Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating
Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition
from state STATE_QUICK_I1 to
Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
- Original Message - > From: "Jacob Vind" <libres...@harm.dk> > To: swan@lists.libreswan.org > Sent: Thursday, February 11, 2016 7:59:01 AM > Subject: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks > > Hi, > > I really hope we can get some help, we are trying to set up a > subnet-to-subnet Libreswan based IPSEC connection between two sites of > ours. But we are having problems with it, we can get it to startup and > working for a while (time varies from few minutes to hours). I hope > someone will help review the config and log and come with suggestions. > > First a simple network diagram of the setup can be seen here: > https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA > > I figure that might make it easier to understand the setup. As you can > see we operate with two private subnets on each side. Below are librewan > config from left and right side (just edited so the public IP is not > visible and not the entire key): > > > LEFT: > > --- BEGIN --- > conn adsubnets > also=sj-dtu-tunnel > leftsubnet=172.16.1.0/24 > leftsourceip=172.16.1.253 > rightsubnet=172.16.0.0/24 > rightsourceip=172.16.0.253 > forceencaps=yes > nat-keepalive=yes > > conn sj-dtu-tunnel > leftid=@SJ > left=192.168.3.212 > leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== > rightid=@DTU > right=77.X.X.X > rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB > authby=rsasig > # load and initiate automatically > auto=start > --- END --- > > The default gw of this machine is 192.168.3.254 > > > RIGHT: > > > --- BEGIN --- > conn adsubnets > also=sj-dtu-tunnel > leftsubnet=172.16.1.0/24 > leftsourceip=172.16.1.253 > rightsubnet=172.16.0.0/24 > rightsourceip=172.16.0.253 > forceencaps=yes > nat-keepalive=yes > > conn sj-dtu-tunnel > leftid=@SJ > left=70.X.X.X > leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== > rightid=@DTU > right=192.168.13.238 > rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB > authby=rsasig > # load and initiate automatically > auto=start > --- END --- > You should try adding DPD settings to your config. Specifically dpdaction=restart which will try to renegotiate if there's an interruption that goes past the dpdtimeout value. Regards, Matt ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
