Re: [Swan] Fwd: Overlapping IP ranges
On Fri, 13 Apr 2018, Mircea Troaca wrote: Clean install of debian server, installing all the requirements in order to do "make deb". 1. If I do "make deb" with the applied patch, the clients can't connect anymore. (they're getting error 809, that error that requires to change AssumeUDPEncapsulationContextOnSendrule to value "2". 2. If I do "make deb" WITHOUT the applied patch, using the exactly same configure files, they can connect instantly. I don't understand this at all. Here you can find debug=all of ipsec using the patch -> https://pastebin.com/raw/rT42uiE8 This shows the _first_ client already fails to connect? So in that case the whole overlapip=yes does not even come into play yet? Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Fwd: Overlapping IP ranges
So, the results are the following: Clean install of debian server, installing all the requirements in order to do "make deb". 1. If I do "make deb" with the applied patch, the clients can't connect anymore. (they're getting error 809, that error that requires to change AssumeUDPEncapsulationContextOnSendrule to value "2". 2. If I do "make deb" WITHOUT the applied patch, using the exactly same configure files, they can connect instantly. Here you can find debug=all of ipsec using the patch -> https://pastebin.com/raw/rT42uiE8 Thank you! 2018-04-12 23:59 GMT+03:00 Mircea Troaca: > After I applied the patch with a success and installing the .deb package > worked like a charm. > But.. the problems appears again.. > After installing the .deb with dpkg, when I try, as a client, to connect > to the server, on windows I am getting 809 error (that retarded thing which > makes u modify windows registry and set value 2 on AssumeUDPEncapsulation) > with the EXACTLY same config of ipsec.. > > Thank you for everything so far. > > 2018-04-12 20:01 GMT+03:00 Paul Wouters : > >> On Thu, 12 Apr 2018, Mircea Troaca wrote: >> >> Excuse my "stupidity".. but, how? :D >>> I am running on a debian 9 server >>> >> >> once you have the proper buildessentials installed, you can try this: >> >> wget download.libreswan.org/libreswan-3.23.tar.gz >> tar zxf libreswan-3.23.tar.gz >> cd libreswan-3.23 >> patch -p1 -s < /path/to/file.patch >> make deb >> >> Paul >> > > ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Fwd: Overlapping IP ranges
On Thu, 12 Apr 2018, Mircea Troaca wrote: Excuse my "stupidity".. but, how? :D I am running on a debian 9 server once you have the proper buildessentials installed, you can try this: wget download.libreswan.org/libreswan-3.23.tar.gz tar zxf libreswan-3.23.tar.gz cd libreswan-3.23 patch -p1 -s < /path/to/file.patch make deb Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Fwd: Overlapping IP ranges
Excuse my "stupidity".. but, how? :D I am running on a debian 9 server 2018-04-12 19:05 GMT+03:00 Paul Wouters: > On Thu, 12 Apr 2018, Mircea Troaca wrote: > > Try the attached patch. > > Paul > > Date: Thu, 12 Apr 2018 12:00:48 >> From: Mircea Troaca >> To: swan@lists.libreswan.org >> Subject: [Swan] Fwd: Overlapping IP ranges >> >> >> -- Forwarded message -- >> From: Mircea Troaca >> Date: 2018-04-12 18:56 GMT+03:00 >> Subject: Re: [Swan] Overlapping IP ranges >> To: Paul Wouters >> >> >> I tried with overlapip=yes, when I add that to my connection, clients can >> connect well, but the same error, overlaps with connection bla bla >> bla..After I added mark= -1/0x, >> >> clients can't connect anymore.. >> >> 2018-04-12 17:09 GMT+03:00 Paul Wouters : >> On Wed, 11 Apr 2018, Mircea Troaca wrote: >> >> libreswan + xl2tpd + a freeradius server. The problem occurs >> when two clients from different networks with the same network >> (192.168.0.x) try to access the >> server. >> >> Client A: 192.168.0.101 >> -> he is the first who connects and it is succesful. >> >> Client B: 192.168.0.101 (from different network, different >> location, using a router that gives 192.168.0.x) >> -> Virtual IP 192.168.0.101/32 overlaps with connection >> "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx' >> -> Kernel method 'netkey' does not support overlapping >> IP ranges >> >> >> This should work, if you use marking to make each IPsec SA unique. >> >> Try adding this to your connection: >> >> overlapip=yes >> mark=-1/0x >> >> Paul >> >> and the tunnel is not established... >> >> >> here is my config of ipsec.conf >> >> config setup >> virtual-private=%v4:10.0.0.0/8 >> ,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4 >> :!10.150.1.0/24 >> protostack=netkey >> plutostderrlog=/var/log/ipsec.log >> interfaces=%defaultroute >> uniqueids=no >> >> include /etc/ipsec.d/l2tp-psk.conf >> >> >> and here is the config of l2tp-psk.conf >> >> conn L2TP-PSK-NAT >> rightsubnet=vhost:%priv >> also=L2TP-PSK-noNAT >> ike=3des-sha1,3des-sha2,aes-sh >> a1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 >> phase2alg=3des-sha1,3des-sha2, >> aes-sha1,aes-sha2,aes256-sha2_512 >> sha2-truncbug=yes >> >> conn L2TP-PSK-noNAT >> # Use a Preshared Key. Disable Perfect Forward >> Secrecy. >> authby=secret >> pfs=no >> auto=add >> keyingtries=3 >> # we cannot rekey for %any, let client rekey >> rekey=no >> # Apple iOS doesn't send delete notify so we need >> dead peer detection >> # to detect vanishing clients >> dpddelay=10 >> dpdtimeout=90 >> dpdaction=clear >> # Set ikelifetime and keylife to same defaults >> windows has >> ikelifetime=8h >> keylife=1h >> # l2tp-over-ipsec is transport mode >> type=transport >> # >> # left will be filled in automatically with the local >> address of the default-route interface (as determined at IPsec startup >> time). >> left=%defaultroute >> # >> # For updated Windows 2000/XP clients, >> # to support old clients as well, use >> leftprotoport=17/%any >> leftprotoport=17/1701 >> # >> # The remote user. >> # >> right=%any >> # Using the magic port of "%any" means "any one >> single port". This is >> # a work around required for Apple OSX clients that >> use a randomly >> # high port. >> rightprotoport=17/%any >> >> >> Thank you in advice! >> >> >> >> >> >> ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Fwd: Overlapping IP ranges
On Thu, 12 Apr 2018, Mircea Troaca wrote: Try the attached patch. Paul Date: Thu, 12 Apr 2018 12:00:48 From: Mircea TroacaTo: swan@lists.libreswan.org Subject: [Swan] Fwd: Overlapping IP ranges -- Forwarded message -- From: Mircea Troaca Date: 2018-04-12 18:56 GMT+03:00 Subject: Re: [Swan] Overlapping IP ranges To: Paul Wouters I tried with overlapip=yes, when I add that to my connection, clients can connect well, but the same error, overlaps with connection bla bla bla..After I added mark= -1/0x, clients can't connect anymore.. 2018-04-12 17:09 GMT+03:00 Paul Wouters : On Wed, 11 Apr 2018, Mircea Troaca wrote: libreswan + xl2tpd + a freeradius server. The problem occurs when two clients from different networks with the same network (192.168.0.x) try to access the server. Client A: 192.168.0.101 -> he is the first who connects and it is succesful. Client B: 192.168.0.101 (from different network, different location, using a router that gives 192.168.0.x) -> Virtual IP 192.168.0.101/32 overlaps with connection "L2TP-PSK-NAT"[11] xxx.xxx.xxx.xxx (kind=CK_INSTANCE) 'xxx.xxx.xxx.xxx' -> Kernel method 'netkey' does not support overlapping IP ranges This should work, if you use marking to make each IPsec SA unique. Try adding this to your connection: overlapip=yes mark=-1/0x Paul and the tunnel is not established... here is my config of ipsec.conf config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.150.0.0/24,%v4:!10.150.1.0/24 protostack=netkey plutostderrlog=/var/log/ipsec.log interfaces=%defaultroute uniqueids=no include /etc/ipsec.d/l2tp-psk.conf and here is the config of l2tp-psk.conf conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn L2TP-PSK-noNAT # Use a Preshared Key. Disable Perfect Forward Secrecy. authby=secret pfs=no auto=add keyingtries=3 # we cannot rekey for %any, let client rekey rekey=no # Apple iOS doesn't send delete notify so we need dead peer detection # to detect vanishing clients dpddelay=10 dpdtimeout=90 dpdaction=clear # Set ikelifetime and keylife to same defaults windows has ikelifetime=8h keylife=1h # l2tp-over-ipsec is transport mode type=transport # # left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time). left=%defaultroute # # For updated Windows 2000/XP clients, # to support old clients as well, use leftprotoport=17/%any leftprotoport=17/1701 # # The remote user. # right=%any # Using the magic port of "%any" means "any one single port". This is # a work around required for Apple OSX clients that use a randomly # high port. rightprotoport=17/%any Thank you in advice! diff --git a/programs/pluto/kernel_netlink.c b/programs/pluto/kernel_netlink.c index 8e1ff2799..7d44e1516 100644 --- a/programs/pluto/kernel_netlink.c +++ b/programs/pluto/kernel_netlink.c @@ -2992,7 +2992,7 @@ const struct kernel_ops netkey_kernel_ops = { * if netlink specific changes are needed. */ .remove_orphaned_holds = NULL, /* only used for klips /proc scanner */ - .overlap_supported = FALSE, + .overlap_supported = TRUE, .sha2_truncbug_support = TRUE, .v6holes = netlink_v6holes, }; ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan