Re: [Swan] Error ”cannot install eroute” when rekey/reconnect from the same IP (for L2TP)

Antonio Silva Fri, 08 May 2015 06:49:20 -0700

Sorry i forgot to attach the log when the plutodebug option is disable.


Regards,
António

On 05/08/2015 03:39 PM, Antonio Silva wrote:

Hi,

Not sure if this apply to me, i saw this same error in my log, "cannotinstall eroute -- it is in use for "tunnel2-nat", when behind NAT itried to connect simultaneous users with windows and l2tp/ipsec


I've installed libreswan 3.12.

Is this setup possible?

For openswan i found thishttps://lists.openswan.org/pipermail/users/2014-July/023037.html , butnot sure if this apply to libreswan as well....



****

My lab scenario to simulate a nat connection is very simple, twovirtual machines using wm on a debian box and them connect to theremote ipsec server:



WM host win8.1 [192.168.8.131]
                                                ----

----[192.168.8.1] HOST [192.168.10.25] ------- [192.168.10.254] SERVER

                                                --- -
WM host win8.1 [192.168.8.129]



Attach my configuration and the respective log files when try to connect.

peer_one_connected.log.txt => peer one connected
peer_two_fail_simultaneous_con.log.txt => peer two fail to connect



Thanks for the help.


regards,
António


On 12/16/2014 02:11 AM, Paul Wouters wrote:

On Fri, 12 Dec 2014, Elison Niven wrote:

Subject: [Swan] Error ”cannot install eroute” when rekey/reconnectfrom the
    same IP (for L2TP)

Is this fixed now ?
https://lists.openswan.org/pipermail/users/2010-April/018685.html


I changed this test case:

https://github.com/libreswan/libreswan/tree/master/testing/pluto/l2tp-02-netkey


to simulate your scenario using:

ipsec auto --up north-east-l2tp
echo "c server" > /var/run/xl2tpd/l2tp-control
sleep 5
ipsec look
: ==== cut ====
cat /tmp/xl2tpd.log
: ==== tuc ====
ping -c 4 -n 192.0.2.254
# testing passthrough plaintext
echo quit | nc 192.0.2.254 22
ip addr show dev ppp0
sleep 5
echo "d server" > /var/run/xl2tpd/l2tp-control
ipsec auto --down north-east-l2tp
sleep 5
ipsec auto --up north-east-l2tp
echo "c server" > /var/run/xl2tpd/l2tp-control
sleep 5
ipsec look
echo done

This worked fine. Both the first IPsec and PPP and the second IPsec and
PPP came up successfully. Since it uses RSA, I then modified it to use
PSK. But it still worked.

Is there a chance you can try and test this with libreswan-3.12 ?

Paul


 I'm not sure if that fully reproduced your
connection from behind NAT? This connection used RSA, not PSK.



_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


--
---
António Silva

May  8 15:43:30 bitch ipsec__plutorun: Starting Pluto subsystem...
May  8 15:43:30 bitch pluto[28840]: nss directory plutomain: /etc/ipsec.d
May  8 15:43:30 bitch pluto[28840]: NSS Initialized
May  8 15:43:30 bitch pluto[28840]: libcap-ng support [disabled]
May  8 15:43:30 bitch pluto[28840]: FIPS HMAC integrity support [disabled]
May  8 15:43:30 bitch pluto[28840]: Linux audit support [disabled]
May  8 15:43:30 bitch pluto[28840]: Starting Pluto (Libreswan Version 3.12 
XFRM(netkey) KLIPS NSS DNSSEC XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) 
LDAP(non-NSS)) pid:28840
May  8 15:43:30 bitch pluto[28840]: core dump dir: /var/run/pluto
May  8 15:43:30 bitch pluto[28840]: secrets file: /etc/ipsec.secrets
May  8 15:43:30 bitch pluto[28840]: leak-detective disabled
May  8 15:43:30 bitch pluto[28840]: SAref support [disabled]: Protocol not 
available
May  8 15:43:30 bitch pluto[28840]: SAbind support [disabled]: Protocol not 
available
May  8 15:43:30 bitch pluto[28840]: NSS crypto [enabled]
May  8 15:43:30 bitch pluto[28840]: XAUTH PAM support [enabled]
May  8 15:43:30 bitch pluto[28840]:    NAT-Traversal support  [enabled]
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
DISABLED-OAKLEY_AES_CTR: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating 
DISABLED-OAKLEY_AES_XCBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
DISABLED-OAKLEY_CAMELLIA_CBC: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
OAKLEY_CAMELLIA_CTR: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_384: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok
May  8 15:43:30 bitch pluto[28840]: starting up 3 crypto helpers
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 0 (master 
fd 6)
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 1 (master 
fd 8)
May  8 15:43:30 bitch pluto[28840]: started thread for crypto helper 2 (master 
fd 10)
May  8 15:43:30 bitch pluto[28840]: Using Linux XFRM/NETKEY IPsec interface 
code on 3.10.58
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_ccm_8: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_ccm_12: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_ccm_16: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_gcm_8: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_gcm_12: Ok
May  8 15:43:30 bitch pluto[28840]: ike_alg_register_enc(): Activating 
aes_gcm_16: Ok
May  8 15:43:31 bitch pluto[28840]: added connection description "tunnel1-nat"
May  8 15:43:31 bitch pluto[28840]: added connection description "tunnel1"
May  8 15:43:31 bitch pluto[28840]: listening for IKE messages
May  8 15:43:31 bitch pluto[28840]: adding interface eth2/eth2 192.168.3.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth2/eth2 
192.168.3.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 
192.168.11.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 
192.168.11.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 
192.168.10.254:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth1/eth1 
192.168.10.254:4500
May  8 15:43:31 bitch pluto[28840]: adding interface eth0/eth0 10.10.0.1:500
May  8 15:43:31 bitch pluto[28840]: adding interface eth0/eth0 10.10.0.1:4500
May  8 15:43:31 bitch pluto[28840]: adding interface lo/lo 127.0.0.1:500
May  8 15:43:31 bitch pluto[28840]: adding interface lo/lo 127.0.0.1:4500
May  8 15:43:31 bitch pluto[28840]: loading secrets from "/etc/ipsec.secrets"
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: received 
Vendor ID payload [RFC 3947]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: received 
Vendor ID payload [FRAGMENTATION]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
Vendor ID payload [MS-Negotiation Discovery Capable]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
Vendor ID payload [Vid-Initial-Contact]
May  8 15:43:39 bitch pluto[28840]: packet from 192.168.10.25:500: ignoring 
Vendor ID payload [IKE CGA version 1]
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: enabling 
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
responding to Main Mode from unknown peer 192.168.10.25
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: peer 
behind NAT
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: Main 
mode peer ID is ID_IPV4_ADDR: '192.168.8.131'
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[1] 192.168.10.25 #1: switched 
from "tunnel1-nat" to "tunnel1-nat"
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: deleting 
connection "tunnel1-nat" instance with peer 192.168.10.25 {isakmp=#0/ipsec=#0}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: new NAT 
mapping for #1, was 192.168.10.25:500, now 192.168.10.25:4500
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY 
cipher=aes_256 integ=sha group=MODP2048}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: Dead 
Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: the peer 
proposed: 192.168.10.254/32:17/0 -> 192.168.8.131/32:17/0
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #1: 
NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: 
responding to Quick Mode proposal {msgid:01000000}
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2:     us: 
vhost:?===192.168.10.254<192.168.10.254>:17/%any
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2:   them: 
192.168.10.25[192.168.8.131]:17/1701
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May  8 15:43:39 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: Dead 
Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May  8 15:43:41 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #2: 
STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x403b2214 
<0x13dd2ad6 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.8.131 NATD=192.168.10.25:4500 
DPD=active}
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: received 
Vendor ID payload [RFC 3947]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: received 
Vendor ID payload [FRAGMENTATION]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
Vendor ID payload [MS-Negotiation Discovery Capable]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
Vendor ID payload [Vid-Initial-Contact]
May  8 15:43:55 bitch pluto[28840]: packet from 192.168.10.25:1: ignoring 
Vendor ID payload [IKE CGA version 1]
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: enabling 
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
responding to Main Mode from unknown peer 192.168.10.25
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
STATE_MAIN_R1: sent MR1, expecting MI2
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 1: peer behind 
NAT
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: 
STATE_MAIN_R2: sent MR2, expecting MI3
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: Main 
mode peer ID is ID_IPV4_ADDR: '192.168.8.129'
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[2] 192.168.10.25 #3: switched 
from "tunnel1-nat" to "tunnel1-nat"
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: new NAT 
mapping for #3, was 192.168.10.25:1, now 192.168.10.25:1024
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY 
cipher=aes_256 integ=sha group=MODP2048}
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: Dead 
Peer Detection (RFC 3706): not enabled because peer did not advertise it
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: the peer 
proposed: 192.168.10.254/32:17/0 -> 192.168.8.129/32:17/0
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #3: 
NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: 
responding to Quick Mode proposal {msgid:01000000}
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4:     us: 
vhost:?===192.168.10.254<192.168.10.254>:17/%any
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4:   them: 
192.168.10.25[192.168.8.129]:17/1701
May  8 15:43:55 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: cannot 
install eroute -- it is in use for "tunnel1-nat"[2] 192.168.10.25 #2
May  8 15:43:56 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: next 
payload type of ISAKMP Hash Payload has an unknown value: 94
May  8 15:43:56 bitch pluto[28840]: "tunnel1-nat"[3] 192.168.10.25 #4: 
malformed payload in packet

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Error ”cannot install eroute” when rekey/reconnect from the same IP (for L2TP)

Reply via email to