Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
On 11/02/16 15:48, Matt Rogers wrote: You should try adding DPD settings to your config. Specifically dpdaction=restart which will try to renegotiate if there's an interruption that goes past the dpdtimeout value. Hi Matt, Great, thanks. Yes that seems to do it, I added this 20 hours ago and the link has been working since then, I can see from the logs that it has restarted it a few times. I wonder why it is not mentioned in the setup examples on libreswan.org, but maybe it is mostly an issue if you are behind double nat setup like we are. /Jacob. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Hi, I really hope we can get some help, we are trying to set up a subnet-to-subnet Libreswan based IPSEC connection between two sites of ours. But we are having problems with it, we can get it to startup and working for a while (time varies from few minutes to hours). I hope someone will help review the config and log and come with suggestions. First a simple network diagram of the setup can be seen here: https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA I figure that might make it easier to understand the setup. As you can see we operate with two private subnets on each side. Below are librewan config from left and right side (just edited so the public IP is not visible and not the entire key): LEFT: --- BEGIN --- conn adsubnets also=sj-dtu-tunnel leftsubnet=172.16.1.0/24 leftsourceip=172.16.1.253 rightsubnet=172.16.0.0/24 rightsourceip=172.16.0.253 forceencaps=yes nat-keepalive=yes conn sj-dtu-tunnel leftid=@SJ left=192.168.3.212 leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== rightid=@DTU right=77.X.X.X rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB authby=rsasig # load and initiate automatically auto=start --- END --- The default gw of this machine is 192.168.3.254 RIGHT: --- BEGIN --- conn adsubnets also=sj-dtu-tunnel leftsubnet=172.16.1.0/24 leftsourceip=172.16.1.253 rightsubnet=172.16.0.0/24 rightsourceip=172.16.0.253 forceencaps=yes nat-keepalive=yes conn sj-dtu-tunnel leftid=@SJ left=70.X.X.X leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== rightid=@DTU right=192.168.13.238 rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB authby=rsasig # load and initiate automatically auto=start --- END --- The default gw of this machine is 192.168.13.254 We have made iptables rules so UDP ports 4500 and 500 can pass all the way, of course both ways. Both ipsec routers are running Centos7, and we have installed your latest version 3.16-1 (we first tried with 3.15 which ships with CentOS, had same failure with that. Below is some log from the left side machine, where I have included lines from around where it stops working and starts working again. We monitor with ping when it stops working, and it is not because the internet connection between the two sides are unavailable. Anything we are missing? Any input will be highly appreciated. Also please let me know if you need more information from me. Thanks. Best Regards Jacob Vind. Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 77.X.X.X:4500 DPD=passive} Feb 9 13:32 PING TO OTHER SIDE STOPS RESPONDING Feb 9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 77.X.X.X:4500 DPD=passive} Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 77.X.X.X:4500 DPD=passive} Feb 9 21:12 PING TO OTHER SIDE STARTS RESPONDING Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Jacob, I have a similar and working setup using Libreswan/Ubuntu. The main difference is that I have the tunnels working peer-to-peer rather than subnet-to-subnet and it may be worth your while testing and proving the peer to peer case before moving to the subnet-to-subnet case. Otherwise, I can only see two differences in the configuration: 1. You have used left/rightsourceip while I have not (probably not significant). 2.In my case I have an asymmetric tunnel establishment i.e. one side is "auto=add". This may be significant when it comes to the NAT gateways. The passive side also has a dpdaction of clear. The NAT gateways are also set up to forward all incoming port 500/4500 UDP to the secure gateways. Good luck Tony Whyman On 11/02/16 12:59, Jacob Vind wrote: Hi, I really hope we can get some help, we are trying to set up a subnet-to-subnet Libreswan based IPSEC connection between two sites of ours. But we are having problems with it, we can get it to startup and working for a while (time varies from few minutes to hours). I hope someone will help review the config and log and come with suggestions. First a simple network diagram of the setup can be seen here: https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA I figure that might make it easier to understand the setup. As you can see we operate with two private subnets on each side. Below are librewan config from left and right side (just edited so the public IP is not visible and not the entire key): LEFT: --- BEGIN --- conn adsubnets also=sj-dtu-tunnel leftsubnet=172.16.1.0/24 leftsourceip=172.16.1.253 rightsubnet=172.16.0.0/24 rightsourceip=172.16.0.253 forceencaps=yes nat-keepalive=yes conn sj-dtu-tunnel leftid=@SJ left=192.168.3.212 leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== rightid=@DTU right=77.X.X.X rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB authby=rsasig # load and initiate automatically auto=start --- END --- The default gw of this machine is 192.168.3.254 RIGHT: --- BEGIN --- conn adsubnets also=sj-dtu-tunnel leftsubnet=172.16.1.0/24 leftsourceip=172.16.1.253 rightsubnet=172.16.0.0/24 rightsourceip=172.16.0.253 forceencaps=yes nat-keepalive=yes conn sj-dtu-tunnel leftid=@SJ left=70.X.X.X leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== rightid=@DTU right=192.168.13.238 rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB authby=rsasig # load and initiate automatically auto=start --- END --- The default gw of this machine is 192.168.13.254 rightsourceip We have made iptables rules so UDP ports 4500 and 500 can pass all the way, of course both ways. Both ipsec routers are running Centos7, and we have installed your latest version 3.16-1 (we first tried with 3.15 which ships with CentOS, had same failure with that. Below is some log from the left side machine, where I have included lines from around where it stops working and starts working again. We monitor with ping when it stops working, and it is not because the internet connection between the two sides are unavailable. Anything we are missing? Any input will be highly appreciated. Also please let me know if you need more information from me. Thanks. Best Regards Jacob Vind. Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 77.X.X.X:4500 DPD=passive} Feb 9 13:32 PING TO OTHER SIDE STOPS RESPONDING Feb 9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Feb 9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 77.X.X.X:4500 DPD=passive} Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Feb 9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition from state STATE_QUICK_I1 to
Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
- Original Message - > From: "Jacob Vind" <libres...@harm.dk> > To: swan@lists.libreswan.org > Sent: Thursday, February 11, 2016 7:59:01 AM > Subject: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks > > Hi, > > I really hope we can get some help, we are trying to set up a > subnet-to-subnet Libreswan based IPSEC connection between two sites of > ours. But we are having problems with it, we can get it to startup and > working for a while (time varies from few minutes to hours). I hope > someone will help review the config and log and come with suggestions. > > First a simple network diagram of the setup can be seen here: > https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA > > I figure that might make it easier to understand the setup. As you can > see we operate with two private subnets on each side. Below are librewan > config from left and right side (just edited so the public IP is not > visible and not the entire key): > > > LEFT: > > --- BEGIN --- > conn adsubnets > also=sj-dtu-tunnel > leftsubnet=172.16.1.0/24 > leftsourceip=172.16.1.253 > rightsubnet=172.16.0.0/24 > rightsourceip=172.16.0.253 > forceencaps=yes > nat-keepalive=yes > > conn sj-dtu-tunnel > leftid=@SJ > left=192.168.3.212 > leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== > rightid=@DTU > right=77.X.X.X > rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB > authby=rsasig > # load and initiate automatically > auto=start > --- END --- > > The default gw of this machine is 192.168.3.254 > > > RIGHT: > > > --- BEGIN --- > conn adsubnets > also=sj-dtu-tunnel > leftsubnet=172.16.1.0/24 > leftsourceip=172.16.1.253 > rightsubnet=172.16.0.0/24 > rightsourceip=172.16.0.253 > forceencaps=yes > nat-keepalive=yes > > conn sj-dtu-tunnel > leftid=@SJ > left=70.X.X.X > leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ== > rightid=@DTU > right=192.168.13.238 > rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB > authby=rsasig > # load and initiate automatically > auto=start > --- END --- > You should try adding DPD settings to your config. Specifically dpdaction=restart which will try to renegotiate if there's an interruption that goes past the dpdtimeout value. Regards, Matt ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan