This is first time I have used Libreswan so if I misunderstand anything, please let me know. I am attempting to setup something similar to a roadwarriors configuration. It looks like this:
mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static IP) NAT <---------> server <--------> internal gateway <--------> internal networks My goal is to have the mobile client be able to communicate with the multiple internal networks by utilizing static routes. So far I have only been successful getting the client to be able to talk to one internal network at time. I haven't had any authentication issues. I have been configuring Libreswan using a combination of two samples to utilize VTIs. In particular I have been referencing a Libreswan wiki ( https://libreswan.org/wiki/Route-based_VPN_using_VTI) and a RHEL roadwarriors sample ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks#Road_Warrior_Application_Using_Libreswan). I am attempting to do this on CentOS 7.4 for both client and server with libreswan-3.20-3.el7.x86_64 and iproute-3.10.0-87.el7.x86_64. Also worth mentioning is that I am attempting to get this configuration working with both SELinux enforcing and FIPS mode enabled. Here is the configuration I have : Server: conn roadwarriors2 ikev2=insist fragmentation=yes left=192.168.9.11 leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24} leftcert=server leftid=external_static_ip #real IP removed leftxauthserver=yes leftmodecfgserver=yes right=%any rightca=%same rightaddresspool=192.168.9.12-192.168.9.14 rightsubnet=192.168.9.0/24 modecfgdns1=192.168.2.15 rightxauthclient=yes rightmodecfgclient=yes authby=rsasig auto=add dpddelay=30 dpdtimeout=120 mark=12/0xffffffff leftvti=192.168.9.11/24 vti-interface=vti9 vti-routing=yes vti-shared=no Client: conn to-vpn-server2 ikev2=insist left=%defaultroute leftcert=client leftid=%fromcert leftmodecfgclient=yes right=domain.tld #where domain.tld resolves to the external_static_IP above rightsubnet=0.0.0.0/0 rightca=%same authby=rsasig narrowing=yes auto=start mark=5/0xffffffff vti-interface=vti9 vti-routing=yes vti-shared=no I have been adding static routes on the client after the VPN is made (e.g. ip route add 192.168.3.0/24 dev vti9). It appears to be the case that whatever network is listed first under leftsubnets directive on the server is the only network the client can communicate with. Furthermore if I sniff the traffic on the client's VTI interface, I don't see any pings when I attempt to ping a host on one of the other networks listed later in the leftsubnets directive which suggests to me that I have misconfigured Libreswan which is in turn not allowing that traffic to traverse the VPN. Sorry if this is too verbose but here are the logs with some of the addresses/identifiers obfuscated. Server logs: Oct 25 07:57:46 server pluto[14961]: FIPS Product: YES Oct 25 07:57:46 server pluto[14961]: FIPS Kernel: YES Oct 25 07:57:46 server pluto[14961]: FIPS Mode: YES Oct 25 07:57:46 server pluto[14961]: NSS DB directory: sql:/etc/ipsec.d Oct 25 07:57:46 server pluto[14961]: Initializing NSS Oct 25 07:57:46 server pluto[14961]: Opening NSS database "sql:/etc/ipsec.d" read-only Oct 25 07:57:46 server pluto[14961]: NSS initialized Oct 25 07:57:46 server pluto[14961]: NSS crypto library initialized Oct 25 07:57:46 server pluto[14961]: FIPS HMAC integrity support [enabled] Oct 25 07:57:46 server pluto[14961]: FIPS mode enabled for pluto daemon Oct 25 07:57:46 server pluto[14961]: NSS library is running in FIPS mode Oct 25 07:57:46 server pluto[14961]: FIPS HMAC integrity verification self-test passed Oct 25 07:57:46 server pluto[14961]: libcap-ng support [enabled] Oct 25 07:57:46 server pluto[14961]: Linux audit support [enabled] Oct 25 07:57:46 server pluto[14961]: Linux audit activated Oct 25 07:57:46 server pluto[14961]: Starting Pluto (Libreswan Version 3.20 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS USE_SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:14961 Oct 25 07:57:46 server pluto[14961]: core dump dir: /var/run/pluto/ Oct 25 07:57:46 server pluto[14961]: secrets file: /etc/ipsec.secrets Oct 25 07:57:46 server pluto[14961]: leak-detective enabled Oct 25 07:57:46 server pluto[14961]: NSS crypto [enabled] Oct 25 07:57:46 server pluto[14961]: XAUTH PAM support [enabled] Oct 25 07:57:46 server pluto[14961]: NAT-Traversal support [enabled] Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm camellia_ctr: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm camellia: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm serpent: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm twofish: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm twofish_ssh: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm cast: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT algorithm null: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: HASH algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: PRF algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: INTEG algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: INTEG algorithm ripemd: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: DH algorithm MODP1024: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: DH algorithm MODP1536: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: DH algorithm DH22: DISABLED; not FIPS compliant Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_16: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_12: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ccm_8: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) Oct 25 07:57:46 server pluto[14961]: ENCRYPT 3des_cbc: IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_16: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_12: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_gcm_8: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes_ctr: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) Oct 25 07:57:46 server pluto[14961]: ENCRYPT aes: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_cbc) Oct 25 07:57:46 server pluto[14961]: HASH sha: IKEv1: IKE IKEv2: FIPS (sha1) Oct 25 07:57:46 server pluto[14961]: HASH sha2_256: IKEv1: IKE IKEv2: FIPS (sha2 sha256) Oct 25 07:57:46 server pluto[14961]: HASH sha2_384: IKEv1: IKE IKEv2: FIPS (sha384) Oct 25 07:57:46 server pluto[14961]: HASH sha2_512: IKEv1: IKE IKEv2: FIPS (sha512) Oct 25 07:57:46 server pluto[14961]: PRF sha: IKEv1: IKE IKEv2: IKE FIPS (sha1 hmac_sha1) Oct 25 07:57:46 server pluto[14961]: PRF sha2_256: IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 hmac_sha2_256) Oct 25 07:57:46 server pluto[14961]: PRF sha2_384: IKEv1: IKE IKEv2: IKE FIPS (sha384 hmac_sha2_384) Oct 25 07:57:46 server pluto[14961]: PRF sha2_512: IKEv1: IKE IKEv2: IKE FIPS (sha512 hmac_sha2_512) Oct 25 07:57:46 server pluto[14961]: INTEG sha: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha1 sha1_96 hmac_sha1 hmac_sha1_96) Oct 25 07:57:46 server pluto[14961]: INTEG sha2_512: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 hmac_sha2_512 hmac_sha2_512_256) Oct 25 07:57:46 server pluto[14961]: INTEG sha2_384: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 hmac_sha2_384 hmac_sha2_384_192) Oct 25 07:57:46 server pluto[14961]: INTEG sha2_256: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 hmac_sha2_256 hmac_sha2_256_128) Oct 25 07:57:46 server pluto[14961]: INTEG aes_xcbc: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc_96) Oct 25 07:57:46 server pluto[14961]: INTEG aes_cmac: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac_96) Oct 25 07:57:46 server pluto[14961]: DH MODP2048: IKEv1: IKE IKEv2: IKE FIPS (dh14) Oct 25 07:57:46 server pluto[14961]: DH MODP3072: IKEv1: IKE IKEv2: IKE FIPS (dh15) Oct 25 07:57:46 server pluto[14961]: DH MODP4096: IKEv1: IKE IKEv2: IKE FIPS (dh16) Oct 25 07:57:46 server pluto[14961]: DH MODP6144: IKEv1: IKE IKEv2: IKE FIPS (dh17) Oct 25 07:57:46 server pluto[14961]: DH MODP8192: IKEv1: IKE IKEv2: IKE FIPS (dh18) Oct 25 07:57:46 server pluto[14961]: DH DH19: IKEv1: IKE IKEv2: IKE FIPS (ecp_256) Oct 25 07:57:46 server pluto[14961]: DH DH20: IKEv1: IKE IKEv2: IKE FIPS (ecp_384) Oct 25 07:57:46 server pluto[14961]: DH DH21: IKEv1: IKE IKEv2: IKE FIPS (ecp_521) Oct 25 07:57:46 server pluto[14961]: DH DH23: IKEv1: IKE IKEv2: IKE FIPS Oct 25 07:57:46 server pluto[14961]: DH DH24: IKEv1: IKE IKEv2: IKE FIPS Oct 25 07:57:46 server pluto[14961]: starting up 1 crypto helpers Oct 25 07:57:46 server pluto[14961]: started thread for crypto helper 0 (master fd 11) Oct 25 07:57:46 server pluto[14961]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-693.2.2.el7.x86_64 Oct 25 07:57:46 server pluto[14961]: seccomp security for crypto helper not supported Oct 25 07:57:46 server pluto[14961]: | selinux support is enabled. Oct 25 07:57:46 server pluto[14961]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Oct 25 07:57:46 server pluto[14961]: watchdog: sending probes every 100 secs Oct 25 07:57:46 server pluto[14961]: seccomp security not supported Oct 25 07:57:47 server pluto[14961]: added connection description "roadwarriors2/1x0" Oct 25 07:57:47 server pluto[14961]: added connection description "roadwarriors2/2x0" Oct 25 07:57:47 server pluto[14961]: added connection description "roadwarriors2/3x0" Oct 25 07:57:47 server pluto[14961]: listening for IKE messages Oct 25 07:57:47 server pluto[14961]: adding interface eth0/eth0 192.168.9.11:500 Oct 25 07:57:47 server pluto[14961]: adding interface eth0/eth0 192.168.9.11:4500 Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo 127.0.0.1:500 Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo 127.0.0.1:4500 Oct 25 07:57:47 server pluto[14961]: adding interface lo/lo ::1:500 Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:500 fd 21 Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:4500 fd 20 Oct 25 07:57:47 server pluto[14961]: | setup callback for interface lo:500 fd 19 Oct 25 07:57:47 server pluto[14961]: | setup callback for interface eth0:4500 fd 18 Oct 25 07:57:47 server pluto[14961]: | setup callback for interface eth0:500 fd 17 Oct 25 07:57:47 server pluto[14961]: forgetting secrets Oct 25 07:57:47 server pluto[14961]: loading secrets from "/etc/ipsec.secrets" Oct 25 07:57:47 server pluto[14961]: no secrets filename matched "/etc/ipsec.d/*.secrets" Oct 25 07:58:07 server pluto[14961]: packet from ${CLIENT_IP}:500: roadwarriors2/1x0 IKE proposals for initial responder: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default) Oct 25 07:58:07 server pluto[14961]: packet from ${CLIENT_IP}:500: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;INTEG=NONE;DH=MODP2048 chosen from: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=NONE;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=NONE;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP1536 Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP} #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048} Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP} #1: new NAT mapping for #1, was ${CLIENT_IP}:500, now ${CLIENT_IP}:4500 Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP} #1: certificate O=org,CN=client.domain.tld OK Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[1] ${CLIENT_IP} #1: switched from "roadwarriors2/1x0"[1] ${CLIENT_IP} to "roadwarriors2/1x0" Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: deleting connection "roadwarriors2/1x0"[1] ${CLIENT_IP} instance with peer ${CLIENT_IP} {isakmp=#0/ipsec=#0} Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=client.domain.tld, O=${org}' Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: roadwarriors2/1x0 ESP/AH proposals for responder: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: proposal 1:ESP:SPI=2885fa7f;ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED chosen from: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: prepare-client output: vti interface "vti9" already exists with conflicting setting (perhaps need vti-sharing=yes ? Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: route-client output: RTNETLINK answers: File exists Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #1: route-client output: done ip route Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #2: negotiated connection [192.168.2.0,192.168.2.255:0-65535 0] -> [192.168.9.12,192.168.9.12:0-65535 0] Oct 25 07:58:07 server pluto[14961]: "roadwarriors2/1x0"[2] ${CLIENT_IP} #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x2885fa7f <0x6840586c xfrm=AES_GCM_C_256-NONE NATOA=none NATD=${CLIENT_IP}:4500 DPD=active} Regarding the vti9 already exists entry: it appears that Libreswan doesn't remove the interface when exiting which is why I think it is "in use". I have been able to remove it manually using "ip link delete vti9". Client logs: Oct 25 07:57:58 client pluto[17544]: FIPS Product: YES Oct 25 07:57:58 client pluto[17544]: FIPS Kernel: YES Oct 25 07:57:58 client pluto[17544]: FIPS Mode: YES Oct 25 07:57:58 client pluto[17544]: NSS DB directory: sql:/etc/ipsec.d Oct 25 07:57:58 client pluto[17544]: Initializing NSS Oct 25 07:57:58 client pluto[17544]: Opening NSS database "sql:/etc/ipsec.d" read-only Oct 25 07:57:58 client pluto[17544]: NSS initialized Oct 25 07:57:58 client pluto[17544]: NSS crypto library initialized Oct 25 07:57:58 client pluto[17544]: FIPS HMAC integrity support [enabled] Oct 25 07:57:58 client pluto[17544]: FIPS mode enabled for pluto daemon Oct 25 07:57:58 client pluto[17544]: NSS library is running in FIPS mode Oct 25 07:57:58 client pluto[17544]: FIPS HMAC integrity verification self-test passed Oct 25 07:57:58 client pluto[17544]: libcap-ng support [enabled] Oct 25 07:57:58 client pluto[17544]: Linux audit support [enabled] Oct 25 07:57:58 client pluto[17544]: Linux audit activated Oct 25 07:57:58 client pluto[17544]: Starting Pluto (Libreswan Version 3.20 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS USE_SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:17544 Oct 25 07:57:58 client pluto[17544]: core dump dir: /var/run/pluto/ Oct 25 07:57:58 client pluto[17544]: secrets file: /etc/ipsec.secrets Oct 25 07:57:58 client pluto[17544]: leak-detective enabled Oct 25 07:57:58 client pluto[17544]: NSS crypto [enabled] Oct 25 07:57:58 client pluto[17544]: XAUTH PAM support [enabled] Oct 25 07:57:58 client pluto[17544]: NAT-Traversal support [enabled] Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm camellia_ctr: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm camellia: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm serpent: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm twofish: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm twofish_ssh: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm cast: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT algorithm null: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: HASH algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: PRF algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: INTEG algorithm md5: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: INTEG algorithm ripemd: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: DH algorithm MODP1024: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: DH algorithm MODP1536: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: DH algorithm DH22: DISABLED; not FIPS compliant Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_16: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_12: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ccm_8: IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a) Oct 25 07:57:58 client pluto[17544]: ENCRYPT 3des_cbc: IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_16: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_12: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_gcm_8: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes_ctr: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr) Oct 25 07:57:58 client pluto[17544]: ENCRYPT aes: IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_cbc) Oct 25 07:57:58 client pluto[17544]: HASH sha: IKEv1: IKE IKEv2: FIPS (sha1) Oct 25 07:57:58 client pluto[17544]: HASH sha2_256: IKEv1: IKE IKEv2: FIPS (sha2 sha256) Oct 25 07:57:58 client pluto[17544]: HASH sha2_384: IKEv1: IKE IKEv2: FIPS (sha384) Oct 25 07:57:58 client pluto[17544]: HASH sha2_512: IKEv1: IKE IKEv2: FIPS (sha512) Oct 25 07:57:58 client pluto[17544]: PRF sha: IKEv1: IKE IKEv2: IKE FIPS (sha1 hmac_sha1) Oct 25 07:57:58 client pluto[17544]: PRF sha2_256: IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 hmac_sha2_256) Oct 25 07:57:58 client pluto[17544]: PRF sha2_384: IKEv1: IKE IKEv2: IKE FIPS (sha384 hmac_sha2_384) Oct 25 07:57:58 client pluto[17544]: PRF sha2_512: IKEv1: IKE IKEv2: IKE FIPS (sha512 hmac_sha2_512) Oct 25 07:57:58 client pluto[17544]: INTEG sha: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha1 sha1_96 hmac_sha1 hmac_sha1_96) Oct 25 07:57:58 client pluto[17544]: INTEG sha2_512: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 hmac_sha2_512 hmac_sha2_512_256) Oct 25 07:57:58 client pluto[17544]: INTEG sha2_384: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 hmac_sha2_384 hmac_sha2_384_192) Oct 25 07:57:58 client pluto[17544]: INTEG sha2_256: IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 hmac_sha2_256 hmac_sha2_256_128) Oct 25 07:57:58 client pluto[17544]: INTEG aes_xcbc: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_xcbc_96) Oct 25 07:57:58 client pluto[17544]: INTEG aes_cmac: IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac_96) Oct 25 07:57:58 client pluto[17544]: DH MODP2048: IKEv1: IKE IKEv2: IKE FIPS (dh14) Oct 25 07:57:58 client pluto[17544]: DH MODP3072: IKEv1: IKE IKEv2: IKE FIPS (dh15) Oct 25 07:57:58 client pluto[17544]: DH MODP4096: IKEv1: IKE IKEv2: IKE FIPS (dh16) Oct 25 07:57:58 client pluto[17544]: DH MODP6144: IKEv1: IKE IKEv2: IKE FIPS (dh17) Oct 25 07:57:58 client pluto[17544]: DH MODP8192: IKEv1: IKE IKEv2: IKE FIPS (dh18) Oct 25 07:57:58 client pluto[17544]: DH DH19: IKEv1: IKE IKEv2: IKE FIPS (ecp_256) Oct 25 07:57:58 client pluto[17544]: DH DH20: IKEv1: IKE IKEv2: IKE FIPS (ecp_384) Oct 25 07:57:58 client pluto[17544]: DH DH21: IKEv1: IKE IKEv2: IKE FIPS (ecp_521) Oct 25 07:57:58 client pluto[17544]: DH DH23: IKEv1: IKE IKEv2: IKE FIPS Oct 25 07:57:58 client pluto[17544]: DH DH24: IKEv1: IKE IKEv2: IKE FIPS Oct 25 07:57:58 client pluto[17544]: starting up 7 crypto helpers Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 0 (master fd 11) Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 1 (master fd 13) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 2 (master fd 15) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 3 (master fd 17) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 4 (master fd 19) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 5 (master fd 21) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: started thread for crypto helper 6 (master fd 23) Oct 25 07:57:58 client pluto[17544]: seccomp security for crypto helper not supported Oct 25 07:57:58 client pluto[17544]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-693.2.2.el7.x86_64 Oct 25 07:57:58 client pluto[17544]: | selinux support is enabled. Oct 25 07:57:58 client pluto[17544]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Oct 25 07:57:58 client pluto[17544]: watchdog: sending probes every 100 secs Oct 25 07:57:58 client pluto[17544]: seccomp security not supported Oct 25 07:57:58 client polkitd[1559]: Unregistered Authentication Agent for unix-process:17251:429153 (system bus name :1.173, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Oct 25 07:57:59 client pluto[17544]: added connection description "to-vpn-server2" Oct 25 07:57:59 client pluto[17544]: listening for IKE messages Oct 25 07:57:59 client pluto[17544]: adding interface virbr0/virbr0 192.168.122.1:500 Oct 25 07:57:59 client pluto[17544]: adding interface virbr0/virbr0 192.168.122.1:4500 Oct 25 07:57:59 client pluto[17544]: adding interface enp1s0f1/enp1s0f1 10.0.0.226:500 Oct 25 07:57:59 client pluto[17544]: adding interface enp1s0f1/enp1s0f1 10.0.0.226:4500 Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo 127.0.0.1:500 Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo 127.0.0.1:4500 Oct 25 07:57:59 client pluto[17544]: adding interface lo/lo ::1:500 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:500 fd 35 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:4500 fd 34 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface lo:500 fd 33 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface enp1s0f1:4500 fd 32 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface enp1s0f1:500 fd 31 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface virbr0:4500 fd 30 Oct 25 07:57:59 client pluto[17544]: | setup callback for interface virbr0:500 fd 29 Oct 25 07:57:59 client pluto[17544]: forgetting secrets Oct 25 07:57:59 client pluto[17544]: loading secrets from "/etc/ipsec.secrets" Oct 25 07:57:59 client pluto[17544]: no secrets filename matched "/etc/ipsec.d/*.secrets" Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output: net.ipv4.conf.vti9.disable_policy = 1 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output: net.ipv4.conf.vti9.rp_filter = 0 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": prepare-host output: net.ipv4.conf.vti9.forwarding = 1 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output: RTNETLINK answers: File exists Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output: RTNETLINK answers: No such file or directory Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2": route-host output: done ip route Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #1: initiating v2 parent SA Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #1: to-vpn-server2 IKE proposals for initial initiator (selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default) Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #1: to-vpn-server2 ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048} Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: certificate O=org,CN=server.domain.tld OK Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '${external_static_ip}' Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: received INTERNAL_IP4_ADDRESS 192.168.9.12 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: received INTERNAL_IP4_DNS 192.168.2.10 Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: prepare-client output: vti interface "vti9" already exists with conflicting setting (perhaps need vti-sharing=yes ? Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: route-client output: done ip route Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 192.168.2.0/24 via 10.0.0.1 dev vti9 src 192.168.9.12" failed (RTNETLINK answers: Network is unreachable) Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: negotiated connection [192.168.9.12,192.168.9.12:0-65535 0] -> [192.168.2.0,192.168.2.255:0-65535 0] Oct 25 07:57:59 client pluto[17544]: "to-vpn-server2"[1] ${external_static_ip} #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x6840586c <0x2885fa7f xfrm=AES_GCM_C_256-NONE NATOA=none NATD=${external_static_ip}:4500 DPD=passive} I am not sure what the RTNETLINK answers errors are referencing. Does anyone have any suggestions? Am I utilizing Libreswan wrong and instead should be running L2TP over Libreswan? If you need more information, I will gladly provide it. Thanks in advance.
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
