Re: [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth

Wed, 15 Jun 2016 15:08:27 -0700

As I type, I am using 3.17 and currently have three clients all behind the same NAT router all with active ipsec connections to two different remote servers - and can ping both. This setup normally works fine, although I have noticed the occasional confusion which usually requires a NAT router reset to resolve. It could be your problem is with the router rather than libreswan.
There's nothing clever about my setup. A mix of Ubuntu 12.04 and 14.04 with basic road warrior setups. The server sides looks like this, with netkey and nat-traversal: 

conn server-side
    authby=rsasig
    type=tunnel
    ike=3des-sha1;modp2048
    phase2alg=3des-sha1;modp2048
    dpddelay=30
    dpdtimeout=120
    left=<my ip>
    leftcert="mycert"
    leftrsasigkey=%cert
    leftid=%fromcert
    right=%any
    dpdaction=clear
    rightsubnet=vhost:%no,%priv
    rightrsasigkey=%cert
    rightid="C=GB,ST=here,L=there,O=myorg,OU=Road Warriors,CN=*"
    auto=add

Client looks like:
conn client-side
    authby=rsasig
    type=tunnel
    ike=3des-sha1;modp2048
    phase2alg=3des-sha1;modp2048
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    left=%defaultroute
    leftcert="mycert"
    leftrsasigkey=%cert
    leftid=%fromcert
    right=<my  local ip>
    rightrsasigkey=%cert

    rightid="C=GB,ST=here,L=there,O=myorg,OU=Secure Web 
Server,CN=MyRemoteServer"

    auto=start

Hope this helps

On 15/06/16 22:22, Schmidt, Michael M wrote:


Hi there,



I am having the exact same problem as this guy did a couple years ago. 
Unfortunately it doesn't look like he received an answer.



https://lists.libreswan.org/pipermail/swan/2014/000818.html



Whenever a 2nd client connects that is behind the same public IP as 
the 1st client, the 1st client can no longer route packets across the 
tunnel. The IPSec connection stays connected, but pings/TCP 
connections are all dropped. The 2nd client has no problem until 
someone else tries to connect behind the same IP. There's nothing in 
the server-side logs that indicate Libreswan notices this.




I've tried switching between auto=add and auto=route with no luck. 
Played with iptables a bit. Not really sure what else to do.



I am on v3.17



If you need more information, please let me know. I would really 
appreciate some help :)



## ipsec.conf ##


config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute
  uniqueids=no
  plutostderrlog=/var/log/ipsec

conn shared
  left=10.4.254.10
  leftid=X.X.X.X
  right=%any
  forceencaps=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

conn xauth-psk
  auto=route
  leftsubnet=10.4.0.0/16
  rightaddresspool=10.4.254.129-10.4.254.191
  modecfgdns1=10.4.0.10
  modecfgdns2=10.4.0.11
  modecfgdomain=X.X
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=pam
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared

## iptables ##

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [403:28020]
:OUTPUT ACCEPT [403:28020]
-A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT --to-source 10.4.254.10

-A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy --dir out --pol none 
-j SNAT --to-source 10.4.254.10

COMMIT
*filter
:INPUT ACCEPT [1711:674994]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2264:316654]
:f2b-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT

-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j 
ACCEPT

-A INPUT -p udp -m udp --dport 1701 -j DROP
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP

-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT

-A FORWARD -i ppp+ -o eth+ -j ACCEPT

-A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT
-A FORWARD -j DROP
-A f2b-SSH -j RETURN
COMMIT


## ipsec logs of two clients connecting from the same IP ##


Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: responding to 
Main Mode from unknown peer <<PUBLIC NAT IP>>
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R1: 
sent MR1, expecting MI2
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: STATE_MAIN_R2: 
sent MR2, expecting MI3
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: ignoring 
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28

Jun 14 16:13:10: | ISAKMP Notification Payload
Jun 14 16:13:10: |   00 00 00 1c  00 00 00 01  01 10 60 02

Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: Main mode peer 
ID is ID_IPV4_ADDR: '10.32.32.55'
Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: switched from 
"xauth-psk"[1] <<PUBLIC NAT IP>> to "xauth-psk"
Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: deleting 
connection "xauth-psk" instance with peer <<PUBLIC NAT IP>> 
{isakmp=#0/ipsec=#0}
Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: new NAT mapping 
for #1, was <<PUBLIC NAT IP>>:118, now <<PUBLIC NAT IP>>:37467
Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 
integ=OAKLEY_SHA2_256 group=MODP2048}

Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3

Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: Sending 
Username/Password request (XAUTH_R0)

Jun 14 16:13:10: XAUTH: User <<CLIENT 1>>: Attempting to login

Jun 14 16:13:10: XAUTH: pam authentication being called to 
authenticate user <<CLIENT 1>>

Jun 14 16:13:11: XAUTH: User <<CLIENT 1>>: Authentication Successful

Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: XAUTH: 
xauth_inR1(STF_OK)
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute APPLICATION_VERSION received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute MODECFG_BANNER received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute MODECFG_DOMAIN received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_SPLIT_DNS received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_SPLIT_INC received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_DO_PFS received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_SAVE_PW received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_FW_TYPE received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_BACKUP_SERVER received.
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: Unsupported 
modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.

Jun 14 16:13:11: | We are sending '<<DOMAIN>>' as domain
Jun 14 16:13:11: | We are not sending a banner
Jun 14 16:13:11: | We are sending our subnet as CISCO_SPLIT_INC
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: modecfg_inR0(STF_OK)

Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: transition from 
state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: 
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #1: the peer 
proposed: 10.4.0.0/16:0/0 -> 10.4.254.129/32:0/0
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: responding to 
Quick Mode proposal {msgid:1ada84a1}
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:     us: 
10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2:   them: <<PUBLIC 
NAT IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from 
state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R1: 
sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode 
{ESP/NAT=>0x08ae73c0 <0xd8db7c34 xfrm=AES_256-HMAC_SHA1 NATOA=none 
NATD=<<PUBLIC NAT IP>>:37467 DPD=active username=<<CLIENT 1>>}
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: transition from 
state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT IP>> #2: STATE_QUICK_R2: 
IPsec SA established tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34 
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:37467 
DPD=active username=<<CLIENT 1>>}
Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: max number of 
retransmissions (8) reached STATE_MAIN_R2
Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>> #1: deleting state 
#1 (STATE_MAIN_R2)
Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT IP>>: deleting connection 
"xauth-psk" instance with peer <<PUBLIC NAT IP>> {isakmp=#0/ipsec=#0}
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: responding to 
Main Mode from unknown peer <<PUBLIC NAT IP>>
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R1: 
sent MR1, expecting MI2
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: STATE_MAIN_R2: 
sent MR2, expecting MI3
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: ignoring 
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28

Jun 14 16:13:29: | ISAKMP Notification Payload
Jun 14 16:13:29: |   00 00 00 1c  00 00 00 01  01 10 60 02

Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: Main mode peer 
ID is ID_IPV4_ADDR: '10.32.32.76'
Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT IP>> #3: switched from 
"xauth-psk"[2] <<PUBLIC NAT IP>> to "xauth-psk"
Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: new NAT mapping 
for #3, was <<PUBLIC NAT IP>>:57, now <<PUBLIC NAT IP>>:29518
Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 
integ=OAKLEY_SHA2_256 group=MODP2048}

Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3 STATE_MAIN_R3

Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: Sending 
Username/Password request (XAUTH_R0)

Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Attempting to login

Jun 14 16:13:36: XAUTH: pam authentication being called to 
authenticate user <<CLIENT 2>>

Jun 14 16:13:36: XAUTH: User <<CLIENT 2>>: Authentication Successful

Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: XAUTH: 
xauth_inR1(STF_OK)
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute INTERNAL_ADDRESS_EXPIRY received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute APPLICATION_VERSION received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute MODECFG_BANNER received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute MODECFG_DOMAIN received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_SPLIT_DNS received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_SPLIT_INC received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_DO_PFS received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_SAVE_PW received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_FW_TYPE received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_BACKUP_SERVER received.
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: Unsupported 
modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.

Jun 14 16:13:36: | We are sending '<<DOMAIN>>' as domain
Jun 14 16:13:36: | We are not sending a banner
Jun 14 16:13:36: | We are sending our subnet as CISCO_SPLIT_INC
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: modecfg_inR0(STF_OK)

Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: transition from 
state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: 
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #3: the peer 
proposed: 10.4.0.0/16:0/0 -> 10.4.254.130/32:0/0
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: responding to 
Quick Mode proposal {msgid:5a4c8ec3}
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:     us: 
10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN PUBLIC IP>>,MS+XS+S=C]
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4:   them: <<PUBLIC 
NAT IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from 
state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R1: 
sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode 
{ESP/NAT=>0x046b9b3f <0x6b137349 xfrm=AES_256-HMAC_SHA1 NATOA=none 
NATD=<<PUBLIC NAT IP>>:29518 DPD=active username=<<CLIENT 2>>}
Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: transition from 
state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT IP>> #4: STATE_QUICK_R2: 
IPsec SA established tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349 
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC NAT IP>>:29518 
DPD=active username=<<CLIENT 2>>}






_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan



_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to