Ah, thats good news that I'm not going crazy :) If I compile from the latest github release, is there something I can help test?
Thanks for all your help and hardwork. Opensource XAuth implementation is awesome. I remember just struggling with L2TP issues in the past and this is a real game changer. Matt ________________________________________ From: Paul Wouters <[email protected]> Sent: Wednesday, June 15, 2016 3:31:27 PM To: Schmidt, Michael M Cc: [email protected] Subject: Re: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth On Wed, 15 Jun 2016, Schmidt, Michael M wrote: We are working on a fix for that using the newly added marking feature where you can set mark=%unique so that these conflicts won't cause any more problems. Paul > Date: Wed, 15 Jun 2016 17:22:37 > From: "Schmidt, Michael M" <[email protected]> > To: "[email protected]" <[email protected]> > Subject: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / > xauth > > > Hi there, > > > I am having the exact same problem as this guy did a couple years ago. > Unfortunately it doesn't > look like he received an answer. > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.libreswan.org_pipermail_swan_2014_000818.html&d=DQIDAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=3ZEmpvXESQtWvu0aL_I4qASRFsk9V3_faih0y3kWhng&m=q9SRdfF1GxWLobaaJgGb1EPGR7DSD1c1MCBFPl4KXZI&s=dP5JaqACO0l-BEDTc0fDFagB-S-YqdYfVCz86m2FQcs&e= > > > Whenever a 2nd client connects that is behind the same public IP as the 1st > client, the 1st client > can no longer route packets across the tunnel. The IPSec connection stays > connected, but pings/TCP > connections are all dropped. The 2nd client has no problem until someone else > tries to connect > behind the same IP. There's nothing in the server-side logs that indicate > Libreswan notices this. > > > I've tried switching between auto=add and auto=route with no luck. Played > with iptables a bit. Not > really sure what else to do. > > > I am on v3.17 > > > If you need more information, please let me know. I would really appreciate > some help :) > > > ## ipsec.conf ## > > > config setup > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16 > protostack=netkey > nhelpers=0 > interfaces=%defaultroute > uniqueids=no > plutostderrlog=/var/log/ipsec > > conn shared > left=10.4.254.10 > leftid=X.X.X.X > right=%any > forceencaps=yes > authby=secret > pfs=no > rekey=no > keyingtries=5 > dpddelay=30 > dpdtimeout=120 > dpdaction=clear > > conn xauth-psk > auto=route > leftsubnet=10.4.0.0/16 > rightaddresspool=10.4.254.129-10.4.254.191 > modecfgdns1=10.4.0.10 > modecfgdns2=10.4.0.11 > modecfgdomain=X.X > leftxauthserver=yes > rightxauthclient=yes > leftmodecfgserver=yes > rightmodecfgclient=yes > modecfgpull=yes > xauthby=pam > ike-frag=yes > ikev2=never > cisco-unity=yes > also=shared > > ## iptables ## > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [403:28020] > :OUTPUT ACCEPT [403:28020] > -A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10 > -A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none -j > SNAT --to-source > 10.4.254.10 > COMMIT > *filter > :INPUT ACCEPT [1711:674994] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [2264:316654] > :f2b-SSH - [0:0] > -A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH > -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT > -A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT > -A INPUT -p udp -m udp --dport 1701 -j DROP > -A INPUT -p udp -m udp --dport 68 -j ACCEPT > -A FORWARD -m conntrack --ctstate INVALID -j DROP > -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT > -A FORWARD -i ppp+ -o eth+ -j ACCEPT > -A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT > -A FORWARD -j DROP > -A f2b-SSH -j RETURN > COMMIT > > > ## ipsec logs of two clients connecting from the same IP ## > > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to Main Mode > from unknown peer > <<PUBLIC NAT IP>> > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state > STATE_MAIN_R0 to state > STATE_MAIN_R1 > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1: sent > MR1, expecting MI2 > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from state > STATE_MAIN_R1 to state > STATE_MAIN_R2 > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2: sent > MR2, expecting MI3 > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring informational > payload > IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 > Jun 14 16:13:10: | ISAKMP Notification Payload > Jun 14 16:13:10: | 00 00 00 1c 00 00 00 01 01 10 60 02 > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer ID is > ID_IPV4_ADDR: > '10.32.32.55' > Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from > "xauth-psk"[1] <<PUBLIC NAT > IP>> to "xauth-psk" > Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting connection > "xauth-psk" instance > with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0} > Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state > STATE_MAIN_R2 to state > STATE_MAIN_R3 > Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping for #1, > was <<PUBLIC NAT > IP>>:118, now <<PUBLIC NAT IP>>:37467 > Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent > MR3, ISAKMP SA > established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 > group=MODP2048} > Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3 > Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending > Username/Password request > (XAUTH_R0) > Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login > Jun 14 16:13:10: XAUTH: pam authentication being called to authenticate user > <<CLIENT 1>> > Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: > xauth_inR1(STF_OK) > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state > STATE_XAUTH_R1 to > state STATE_MAIN_R3 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: sent > MR3, ISAKMP SA > established > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > INTERNAL_ADDRESS_EXPIRY received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > APPLICATION_VERSION received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > MODECFG_BANNER received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > MODECFG_DOMAIN received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_SPLIT_DNS received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_SPLIT_INC received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_SPLIT_EXCLUDE received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_DO_PFS received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_SAVE_PW received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_FW_TYPE received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_BACKUP_SERVER received. > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported modecfg > long attribute > CISCO_UNKNOWN_SEEN_ON_IPHONE received. > Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain > Jun 14 16:13:11: | We are not sending a banner > Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK) > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from state > STATE_MODE_CFG_R0 to > state STATE_MODE_CFG_R1 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MODE_CFG_R1: > ModeCfg Set sent, > expecting Ack > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer proposed: > 10.4.0.0/16:0/0 -> > 10.4.254.129/32:0/0 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to Quick > Mode proposal > {msgid:1ada84a1} > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: us: > 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C] > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: them: <<PUBLIC NAT > IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state > STATE_QUICK_R0 to > state STATE_QUICK_R1 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1: sent > QR1, inbound IPsec SA > installed, expecting QI2 tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 > xfrm=AES_256-HMAC_SHA1 > NATOA=none NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>} > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from state > STATE_QUICK_R1 to > state STATE_QUICK_R2 > Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2: IPsec > SA established tunnel > mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none > NATD=<<PUBLIC NAT > IP>>:37467 DPD=active username=<<CLIENT 1>>} > Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of > retransmissions (8) reached > STATE_MAIN_R2 > Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state #1 > (STATE_MAIN_R2) > Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection > "xauth-psk" instance with > peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0} > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to Main Mode > from unknown peer > <<PUBLIC NAT IP>> > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state > STATE_MAIN_R0 to state > STATE_MAIN_R1 > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1: sent > MR1, expecting MI2 > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from state > STATE_MAIN_R1 to state > STATE_MAIN_R2 > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2: sent > MR2, expecting MI3 > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring informational > payload > IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 > Jun 14 16:13:29: | ISAKMP Notification Payload > Jun 14 16:13:29: | 00 00 00 1c 00 00 00 01 01 10 60 02 > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer ID is > ID_IPV4_ADDR: > '10.32.32.76' > Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from > "xauth-psk"[2] <<PUBLIC NAT > IP>> to "xauth-psk" > Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state > STATE_MAIN_R2 to state > STATE_MAIN_R3 > Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping for #3, > was <<PUBLIC NAT > IP>>:57, now <<PUBLIC NAT IP>>:29518 > Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent > MR3, ISAKMP SA > established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 > group=MODP2048} > Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3 > Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending > Username/Password request > (XAUTH_R0) > Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login > Jun 14 16:13:36: XAUTH: pam authentication being called to authenticate user > <<CLIENT 2>> > Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: > xauth_inR1(STF_OK) > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state > STATE_XAUTH_R1 to > state STATE_MAIN_R3 > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: sent > MR3, ISAKMP SA > established > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > INTERNAL_ADDRESS_EXPIRY received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > APPLICATION_VERSION received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > MODECFG_BANNER received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > MODECFG_DOMAIN received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_SPLIT_DNS received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_SPLIT_INC received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_SPLIT_EXCLUDE received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_DO_PFS received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_SAVE_PW received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_FW_TYPE received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_BACKUP_SERVER received. > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported modecfg > long attribute > CISCO_UNKNOWN_SEEN_ON_IPHONE received. > Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain > Jun 14 16:13:36: | We are not sending a banner > Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK) > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from state > STATE_MODE_CFG_R0 to > state STATE_MODE_CFG_R1 > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MODE_CFG_R1: > ModeCfg Set sent, > expecting Ack > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer proposed: > 10.4.0.0/16:0/0 -> > 10.4.254.130/32:0/0 > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to Quick > Mode proposal > {msgid:5a4c8ec3} > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: us: > 10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C] > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: them: <<PUBLIC NAT > IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32 > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state > STATE_QUICK_R0 to > state STATE_QUICK_R1 > Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1: sent > QR1, inbound IPsec SA > installed, expecting QI2 tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 > xfrm=AES_256-HMAC_SHA1 > NATOA=none NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>} > Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from state > STATE_QUICK_R1 to > state STATE_QUICK_R2 > Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2: IPsec > SA established tunnel > mode {ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none > NATD=<<PUBLIC NAT > IP>>:29518 DPD=active username=<<CLIENT 2>>} > > > > > _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
