On Wed, 15 Jun 2016, Schmidt, Michael M wrote: We are working on a fix for that using the newly added marking feature where you can set mark=%unique so that these conflicts won't cause any more problems.
Paul
Date: Wed, 15 Jun 2016 17:22:37 From: "Schmidt, Michael M" <[email protected]> To: "[email protected]" <[email protected]> Subject: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth Hi there, I am having the exact same problem as this guy did a couple years ago. Unfortunately it doesn't look like he received an answer. https://lists.libreswan.org/pipermail/swan/2014/000818.html Whenever a 2nd client connects that is behind the same public IP as the 1st client, the 1st client can no longer route packets across the tunnel. The IPSec connection stays connected, but pings/TCP connections are all dropped. The 2nd client has no problem until someone else tries to connect behind the same IP. There's nothing in the server-side logs that indicate Libreswan notices this. I've tried switching between auto=add and auto=route with no luck. Played with iptables a bit. Not really sure what else to do. I am on v3.17 If you need more information, please let me know. I would really appreciate some help :) ## ipsec.conf ## config setup virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16 protostack=netkey nhelpers=0 interfaces=%defaultroute uniqueids=no plutostderrlog=/var/log/ipsec conn shared left=10.4.254.10 leftid=X.X.X.X right=%any forceencaps=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear conn xauth-psk auto=route leftsubnet=10.4.0.0/16 rightaddresspool=10.4.254.129-10.4.254.191 modecfgdns1=10.4.0.10 modecfgdns2=10.4.0.11 modecfgdomain=X.X leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=pam ike-frag=yes ikev2=never cisco-unity=yes also=shared ## iptables ## *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [403:28020] :OUTPUT ACCEPT [403:28020] -A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10 -A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source 10.4.254.10 COMMIT *filter :INPUT ACCEPT [1711:674994] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2264:316654] :f2b-SSH - [0:0] -A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT -A INPUT -p udp -m udp --dport 1701 -j DROP -A INPUT -p udp -m udp --dport 68 -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT -A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT -A FORWARD -j DROP -A f2b-SSH -j RETURN COMMIT ## ipsec logs of two clients connecting from the same IP ## Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to Main Mode from unknown peer <<PUBLIC NAT IP>> Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1: sent MR1, expecting MI2 Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2: sent MR2, expecting MI3 Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 Jun 14 16:13:10: | ISAKMP Notification Payload Jun 14 16:13:10: | 00 00 00 1c 00 00 00 01 01 10 60 02 Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer ID is ID_IPV4_ADDR: '10.32.32.55' Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from "xauth-psk"[1] <<PUBLIC NAT IP>> to "xauth-psk" Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting connection "xauth-psk" instance with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0} Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping for #1, was <<PUBLIC NAT IP>>:118, now <<PUBLIC NAT IP>>:37467 Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048} Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3 Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending Username/Password request (XAUTH_R0) Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login Jun 14 16:13:10: XAUTH: pam authentication being called to authenticate user <<CLIENT 1>> Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: xauth_inR1(STF_OK) Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute APPLICATION_VERSION received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute MODECFG_BANNER received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute MODECFG_DOMAIN received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_SPLIT_DNS received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_SPLIT_INC received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_DO_PFS received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_SAVE_PW received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_FW_TYPE received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received. Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received. Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain Jun 14 16:13:11: | We are not sending a banner Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK) Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer proposed: 10.4.0.0/16:0/0 -> 10.4.254.129/32:0/0 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to Quick Mode proposal {msgid:1ada84a1} Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: us: 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C] Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: them: <<PUBLIC NAT IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>} Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>} Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of retransmissions (8) reached STATE_MAIN_R2 Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state #1 (STATE_MAIN_R2) Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection "xauth-psk" instance with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0} Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to Main Mode from unknown peer <<PUBLIC NAT IP>> Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1: sent MR1, expecting MI2 Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2: sent MR2, expecting MI3 Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 Jun 14 16:13:29: | ISAKMP Notification Payload Jun 14 16:13:29: | 00 00 00 1c 00 00 00 01 01 10 60 02 Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer ID is ID_IPV4_ADDR: '10.32.32.76' Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from "xauth-psk"[2] <<PUBLIC NAT IP>> to "xauth-psk" Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping for #3, was <<PUBLIC NAT IP>>:57, now <<PUBLIC NAT IP>>:29518 Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048} Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3 Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending Username/Password request (XAUTH_R0) Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login Jun 14 16:13:36: XAUTH: pam authentication being called to authenticate user <<CLIENT 2>> Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: xauth_inR1(STF_OK) Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3 Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute INTERNAL_ADDRESS_EXPIRY received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute APPLICATION_VERSION received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute MODECFG_BANNER received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute MODECFG_DOMAIN received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_SPLIT_DNS received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_SPLIT_INC received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_DO_PFS received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_SAVE_PW received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_FW_TYPE received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received. Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received. Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain Jun 14 16:13:36: | We are not sending a banner Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK) Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1 Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer proposed: 10.4.0.0/16:0/0 -> 10.4.254.130/32:0/0 Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to Quick Mode proposal {msgid:5a4c8ec3} Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: us: 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C] Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: them: <<PUBLIC NAT IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32 Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>} Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>}
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
