Re: [Swan] same LAN IP on different router connect to the road warrior VPN

Paul Wouters Thu, 10 Aug 2017 11:29:19 -0700

On Wed, 19 Jul 2017, huajiguosy wrote:

    I have a single Road Warrior successfully connecting to a Libreswan gateway 
and communicating to the subnet behind the gateway securely. That roadwarrior 
is behind a firewall
allowing all outbound port traffic and using NAT.  So my roadwarrior has an IP 
address of 10.0.0.18. When another roadwarrior happens to be behind someone 
else's firewall and happens to
get 10.0.0.18 also. Then we will get the following error: "route to peer's client conflicts 
with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the 
route".
Detail logs are pasted below.


The easiest fix is to use rightaddresspool= on the server and give each
client a unique IP address.

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates

Ahh I see you already have that:

  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute
  uniqueids=no


But you have uniquqids=no that interferes. Upgrade to 3.20 or 3.21 and
do not set uniqueids= as it is handling this for PSK automatically as
of libreswan 3.20

It might also help if you use a separate leftid= for the l2tp-psk and
the xauth-psk conns, so pluto can more quickly determine to switch to
the right connection.

Note that it might not fully fix your l2tp-psk conn running into this
issue and that logging of the connection name might not yet be accurate
when this happens. If that is the case, a workaround would be a second
IP on the server so that l2tp-psk and xauth-psk connect to a different
IP address.

Paul

conn shared
  left=%defaultroute
  leftid=188.166.132.41
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
  phase2alg=3des-sha1,aes-sha1,aes-sha2
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=172.18.0.10-172.18.255.250
  modecfgdns1=8.8.8.8
  modecfgdns2=8.8.4.4
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared

# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.19 (netkey) on 4.4.70+
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

# uname  -a
Linux ubuntu-1gb-01 4.4.0-83 #1 SMP Mon Jul 17 15:58:46 UTC 2017 x86_64 x86_64 
x86_64 GNU/Linux

Detail logs:

pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: responding to Main Mode 
from unknown peer 117.62.189.148
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: ignoring informational 
payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: Main mode peer ID is 
ID_IPV4_ADDR: '10.0.0.18'
pluto[20462]: "xauth-psk"[4871] 117.62.189.148 #7866: switched from "xauth-psk"[4871] 
117.62.189.148 to "xauth-psk"
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: deleting connection 
"xauth-psk"[4871] 117.62.189.148 instance with peer 117.62.189.148 {isakmp=#0/ipsec=#0}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: new NAT mapping for 
#7866, was 117.62.189.148:500, now 117.62.189.148:4500
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: Sending 
Username/Password request (XAUTH_R0)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: discarding duplicate 
packet; already STATE_XAUTH_R0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: XAUTH: xauth_inR1(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state 
STATE_XAUTH_R1 to state STATE_MAIN_R3
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute INTERNAL_ADDRESS_EXPIRY received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute APPLICATION_VERSION received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute MODECFG_BANNER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute MODECFG_DOMAIN received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_SPLIT_DNS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_SPLIT_INC received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_SPLIT_EXCLUDE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_DO_PFS received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_SAVE_PW received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_FW_TYPE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_BACKUP_SERVER received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: Unsupported modecfg long 
attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: modecfg_inR0(STF_OK)
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: transition from state 
STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: STATE_MODE_CFG_R1: 
ModeCfg Set sent, expecting Ack
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7866: the peer proposed: 
0.0.0.0/0:0/0 -> 172.18.0.21/32:0/0
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: responding to Quick Mode 
proposal {msgid:5ae99982}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:     us: 
0.0.0.0/0===128.199.157.10[MS+XS+S=C]
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871:   them: 
117.62.189.148[10.0.0.18,+MC+XC+S=C]===172.18.0.21/32
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: route to peer's client conflicts 
with "xauth-psk"[2617] 122.96.85.17 122.96.85.17; releasing old connection to free the 
route
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: deleting connection 
"xauth-psk"[2617] 122.96.85.17 instance with peer 122.96.85.17 {isakmp=#7859/ipsec=#7858}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R1: sent QR1, 
inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=117.62.189.148:4500 DPD=active
username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: Warning: XAUTH username 
changed from '' to ''
pluto[20462]: message repeated 2 times: [ "xauth-psk"[4873] 117.62.189.148 
#7871: Warning: XAUTH username changed from '' to '']
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[20462]: "xauth-psk"[4873] 117.62.189.148 #7871: STATE_QUICK_R2: IPsec SA 
established tunnel mode {ESP/NAT=>0x0c0ed20e <0x40311fdc xfrm=AES_256-HMAC_SHA1 NATOA=none
NATD=117.62.189.148:4500 DPD=active 
username=pcM5VrKyZ5nFoMh0em9A8RjZHtAw9GMkFy8QzlDdMzUE5hwZsT99wXtygCyRvHF/VwAJMv/b6ygydCfsMMCXIDVJOMsa7y5PA/US/3pj+aU=}

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] same LAN IP on different router connect to the road warrior VPN

Reply via email to