[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks

Thu, 11 Feb 2016 04:59:50 -0800 

Hi,
I really hope we can get some help, we are trying to set up a subnet-to-subnet Libreswan based IPSEC connection between two sites of ours. But we are having problems with it, we can get it to startup and working for a while (time varies from few minutes to hours). I hope someone will help review the config and log and come with suggestions. 


First a simple network diagram of the setup can be seen here: 
https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA



I figure that might make it easier to understand the setup. As you can 
see we operate with two private subnets on each side. Below are librewan 
config from left and right side (just edited so the public IP is not 
visible and not the entire key):



LEFT:

--- BEGIN ---
conn adsubnets
    also=sj-dtu-tunnel
    leftsubnet=172.16.1.0/24
    leftsourceip=172.16.1.253
    rightsubnet=172.16.0.0/24
    rightsourceip=172.16.0.253
    forceencaps=yes
    nat-keepalive=yes

conn sj-dtu-tunnel
    leftid=@SJ
    left=192.168.3.212
    leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
    rightid=@DTU
    right=77.X.X.X
    rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
    authby=rsasig
    # load and initiate automatically
    auto=start
--- END ---

The default gw of this machine is 192.168.3.254


RIGHT:


--- BEGIN ---
conn adsubnets
    also=sj-dtu-tunnel
    leftsubnet=172.16.1.0/24
    leftsourceip=172.16.1.253
    rightsubnet=172.16.0.0/24
    rightsourceip=172.16.0.253
    forceencaps=yes
    nat-keepalive=yes

conn sj-dtu-tunnel
    leftid=@SJ
    left=70.X.X.X
    leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
    rightid=@DTU
    right=192.168.13.238
    rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
    authby=rsasig
    # load and initiate automatically
    auto=start
--- END ---

The default gw of this machine is 192.168.13.254


We have made iptables rules so UDP ports 4500 and 500 can pass all the 
way, of course both ways. Both ipsec routers are running Centos7, and we 
have installed your latest version 3.16-1 (we first tried with 3.15 
which ships with CentOS, had same failure with that.



Below is some log from the left side machine, where I have included 
lines from around where it stops working and starts working again. We 
monitor with ping when it stops working, and it is not because the 
internet connection between the two sides are unavailable.


Anything we are missing? Any input will be highly appreciated.

Also please let me know if you need more information from me.


Thanks.

Best Regards

Jacob Vind.



Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: initiating 
Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #4 {using isakmp#14 msgid:ae9942a9 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 13:29:38 adrouter01-sj pluto[3245]: "mysubnet" #15: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0xf21e014b <0x9a31be7b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}


Feb  9 13:32 PING TO OTHER SIDE STOPS RESPONDING


Feb  9 13:33:15 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #2 {using isakmp#14 msgid:ae8e6273 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 13:33:16 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #16: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0x0aeaae7f <0x277fbba9 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}










Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: initiating 
Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #15 {using isakmp#25 msgid:f0fa5ae3 proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 21:12:04 adrouter01-sj pluto[3245]: "mysubnet" #26: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0xf2072842 <0x93cdf1ba xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}


Feb  9 21:12 PING TO OTHER SIDE STARTS RESPONDING



Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 
to replace #16 {using isakmp#25 msgid:57db7cff proposal=defaults 
pfsgroup=OAKLEY_GROUP_MODP2048}
Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb  9 21:16:02 adrouter01-sj pluto[3245]: "sj-dtu-tunnel" #27: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP/NAT=>0x8d372f11 <0xb0f75aac xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= 
77.X.X.X:4500 DPD=passive}


Feb  9 21:16 PING TO OTHER SIDE STOPS RESPONDING

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to