Re: [Swan] Fwd: Overlapping IP ranges

[Paul Wouters]

On Fri, 13 Apr 2018, Mircea Troaca wrote:


Clean install of debian server, installing all the requirements in order to do "make 
deb".
1. If I do "make deb" with the applied patch, the clients can't connect 
anymore. (they're getting error
809, that error that requires to change AssumeUDPEncapsulationContextOnSendrule to value 
"2".
2. If I do "make deb" WITHOUT the applied patch, using the exactly same 
configure files, they can connect
instantly.


I don't understand this at all.


Here you can find debug=all of ipsec using the patch -> 
https://pastebin.com/raw/rT42uiE8


This shows the _first_ client already fails to connect? So in that case
the whole overlapip=yes does not even come into play yet?

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Fwd: Overlapping IP ranges

[Mircea Troaca]

So, the results are the following:

Clean install of debian server, installing all the requirements in order to
do "make deb".
1. If I do "make deb" with the applied patch, the clients can't connect
anymore. (they're getting error 809, that error that requires to change
AssumeUDPEncapsulationContextOnSendrule to value "2".
2. If I do "make deb" WITHOUT the applied patch, using the exactly same
configure files, they can connect instantly.

Here you can find debug=all of ipsec using the patch ->
https://pastebin.com/raw/rT42uiE8
Thank you!

2018-04-12 23:59 GMT+03:00 Mircea Troaca :

> After I applied the patch with a success and installing the .deb package
> worked like a charm.
> But.. the problems appears again..
> After installing the .deb with dpkg, when I try, as a client, to connect
> to the server, on windows I am getting 809 error (that retarded thing which
> makes u modify windows registry and set value 2 on AssumeUDPEncapsulation)
> with the EXACTLY same config of ipsec..
>
> Thank you for everything so far.
>
> 2018-04-12 20:01 GMT+03:00 Paul Wouters :
>
>> On Thu, 12 Apr 2018, Mircea Troaca wrote:
>>
>> Excuse my "stupidity".. but, how? :D
>>> I am running on a debian 9 server
>>>
>>
>> once you have the proper buildessentials installed, you can try this:
>>
>> wget download.libreswan.org/libreswan-3.23.tar.gz
>> tar zxf libreswan-3.23.tar.gz
>> cd libreswan-3.23
>> patch -p1 -s < /path/to/file.patch
>> make deb
>>
>> Paul
>>
>
>
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Fwd: Overlapping IP ranges

[Paul Wouters]

On Thu, 12 Apr 2018, Mircea Troaca wrote:


Excuse my "stupidity".. but, how? :D
I am running on a debian 9 server


once you have the proper buildessentials installed, you can try this:

wget download.libreswan.org/libreswan-3.23.tar.gz
tar zxf libreswan-3.23.tar.gz
cd libreswan-3.23
patch -p1 -s < /path/to/file.patch
make deb

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Fwd: Overlapping IP ranges

[Mircea Troaca]

Excuse my "stupidity".. but, how? :D

I am running on a debian 9 server

2018-04-12 19:05 GMT+03:00 Paul Wouters :

> On Thu, 12 Apr 2018, Mircea Troaca wrote:
>
> Try the attached patch.
>
> Paul
>
> Date: Thu, 12 Apr 2018 12:00:48
>> From: Mircea Troaca 
>> To: swan@lists.libreswan.org
>> Subject: [Swan] Fwd:  Overlapping IP ranges
>>
>>
>> -- Forwarded message --
>> From: Mircea Troaca 
>> Date: 2018-04-12 18:56 GMT+03:00
>> Subject: Re: [Swan] Overlapping IP ranges
>> To: Paul Wouters 
>>
>>
>> I tried with overlapip=yes, when I add that to my connection, clients can
>> connect well, but the same error, overlaps with connection bla bla
>> bla..After I added mark= -1/0x,
>>
>> clients can't connect anymore..
>>
>> 2018-04-12 17:09 GMT+03:00 Paul Wouters :
>>   On Wed, 11 Apr 2018, Mircea Troaca wrote:
>>
>> libreswan + xl2tpd + a freeradius server. The problem occurs
>> when two clients from different networks with the same network
>> (192.168.0.x) try to access the
>> server.
>>
>> Client A: 192.168.0.101
>>  -> he is the first who connects and it is succesful.
>>
>> Client B: 192.168.0.101 (from different network, different
>> location, using a router that gives 192.168.0.x)
>>  -> Virtual IP 192.168.0.101/32 overlaps with connection
>> "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
>>  -> Kernel method 'netkey' does not support overlapping
>> IP ranges
>>
>>
>>   This should work, if you use marking to make each IPsec SA unique.
>>
>>   Try adding this to your connection:
>>
>>   overlapip=yes
>>   mark=-1/0x
>>
>>   Paul
>>
>> and the tunnel is not established...
>>
>>
>> here is my config of ipsec.conf
>>
>> config setup
>>   virtual-private=%v4:10.0.0.0/8
>> ,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4
>> :!10.150.1.0/24
>>   protostack=netkey
>>   plutostderrlog=/var/log/ipsec.log
>>   interfaces=%defaultroute
>>   uniqueids=no
>>
>> include /etc/ipsec.d/l2tp-psk.conf
>>
>>
>> and here is the config of l2tp-psk.conf
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%priv
>> also=L2TP-PSK-noNAT
>> ike=3des-sha1,3des-sha2,aes-sh
>> a1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
>> phase2alg=3des-sha1,3des-sha2,
>> aes-sha1,aes-sha2,aes256-sha2_512
>> sha2-truncbug=yes
>>
>> conn L2TP-PSK-noNAT
>> # Use a Preshared Key. Disable Perfect Forward
>> Secrecy.
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> # we cannot rekey for %any, let client rekey
>> rekey=no
>> # Apple iOS doesn't send delete notify so we need
>> dead peer detection
>> # to detect vanishing clients
>> dpddelay=10
>> dpdtimeout=90
>> dpdaction=clear
>> # Set ikelifetime and keylife to same defaults
>> windows has
>> ikelifetime=8h
>> keylife=1h
>> # l2tp-over-ipsec is transport mode
>> type=transport
>> #
>> # left will be filled in automatically with the local
>> address of the default-route interface (as determined at IPsec startup
>> time).
>> left=%defaultroute
>> #
>> # For updated Windows 2000/XP clients,
>> # to support old clients as well, use
>> leftprotoport=17/%any
>> leftprotoport=17/1701
>> #
>> # The remote user.
>> #
>> right=%any
>> # Using the magic port of "%any" means "any one
>> single port". This is
>> # a work around required for Apple OSX clients that
>> use a randomly
>> # high port.
>> rightprotoport=17/%any
>>
>>
>> Thank you in advice!
>>
>>
>>
>>
>>
>>
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Fwd: Overlapping IP ranges

[Paul Wouters]

On Thu, 12 Apr 2018, Mircea Troaca wrote:

Try the attached patch.

Paul


Date: Thu, 12 Apr 2018 12:00:48
From: Mircea Troaca 
To: swan@lists.libreswan.org
Subject: [Swan] Fwd:  Overlapping IP ranges


-- Forwarded message --
From: Mircea Troaca 
Date: 2018-04-12 18:56 GMT+03:00
Subject: Re: [Swan] Overlapping IP ranges
To: Paul Wouters 


I tried with overlapip=yes, when I add that to my connection, clients can 
connect well, but the same error, overlaps with connection bla bla bla..After I 
added mark= -1/0x,
clients can't connect anymore..

2018-04-12 17:09 GMT+03:00 Paul Wouters :
  On Wed, 11 Apr 2018, Mircea Troaca wrote:

libreswan + xl2tpd + a freeradius server. The problem occurs when 
two clients from different networks with the same network (192.168.0.x) try to 
access the
server.

Client A: 192.168.0.101
 -> he is the first who connects and it is succesful.

Client B: 192.168.0.101 (from different network, different 
location, using a router that gives 192.168.0.x)
 -> Virtual IP 192.168.0.101/32 overlaps with connection 
"L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx'
 -> Kernel method 'netkey' does not support overlapping IP 
ranges


  This should work, if you use marking to make each IPsec SA unique.

  Try adding this to your connection:

          overlapip=yes
          mark=-1/0x

  Paul

and the tunnel is not established...


here is my config of ipsec.conf

config setup
  
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24
  protostack=netkey
  plutostderrlog=/var/log/ipsec.log
  interfaces=%defaultroute
  uniqueids=no

include /etc/ipsec.d/l2tp-psk.conf


and here is the config of l2tp-psk.conf

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
    
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
    phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
    sha2-truncbug=yes

conn L2TP-PSK-noNAT
    # Use a Preshared Key. Disable Perfect Forward Secrecy.
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    # we cannot rekey for %any, let client rekey
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer 
detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    # l2tp-over-ipsec is transport mode
    type=transport
    #
    # left will be filled in automatically with the local 
address of the default-route interface (as determined at IPsec startup time).
    left=%defaultroute
    #
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    # Using the magic port of "%any" means "any one single 
port". This is
    # a work around required for Apple OSX clients that use a 
randomly
    # high port.
    rightprotoport=17/%any


Thank you in advice!





diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c
index 8e1ff2799..7d44e1516 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/programs/pluto/kernel_netlink.c
@@ -2992,7 +2992,7 @@ const struct kernel_ops netkey_kernel_ops = {
 * if netlink  specific changes are needed.
 */
.remove_orphaned_holds = NULL, /* only used for klips /proc scanner */
-   .overlap_supported = FALSE,
+   .overlap_supported = TRUE,
.sha2_truncbug_support = TRUE,
.v6holes = netlink_v6holes,
 };
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan