Hello everyone!
I need roadwarrior access to a small server, which itself is behind a NAT,
so there is NAT on both sides of the connection. However, neither party is
performing the NAT itself - that is done by the respective gateways on both
ends, which are on the other hand not involved in the ipsec connection. On
the server, the NATting gateway is forwarding esp/ah, udp/500 and udp/4500
to the server (responder).
A brief summary:
server --------------- NAT1 -------- internet --- NAT2 ------ roadwarrior
172.16.0.129 172.16.0.254/1.2.3.4 10.0.0.x 10.0.0.y
Both server and roadwarrior are going to use certificates in production;
but to make debugging simpler, I temporarily switched to PSKs. The current
configs are as follows:
Server (responder):
-------------------
conn roadw
type=tunnel
left=%defaultroute
leftid=@server
leftsubnet=0.0.0.0/0
right=%any
rightid=@roadw
rightsubnet=vhost:%priv,%no
auto=add
ikev2=insist
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
rekey=no
Roadwarrior (initiator):
------------------------
conn server
left=%defaultroute
leftid=@roadw
right=1.2.3.4
rightid=@server
ikev2=insist
auto=ondemand
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
I have left out two more conns, used solely to pass SSH traffic through
without any ipsec processing.
With such configuration, I unfortunately cannot get the connection set up.
When initiating a connection from the roadwarrior, the first handshake gets
through as expected (v2i1, v2r1, v2i2), the port switch from 500 to 4500 is
performed as well. The PSK authentication works, too. Following that, I am
however getting an error on incorrect traffic selectors. This is the
relevant snippet from the server's (responder's) pluto log:
pluto[15505]: "roadw"[1] 9.8.7.6 #1: Authenticated using authby=secret
pluto[15505]: | parent state #1: STATE_PARENT_R1(half-open-ike) =>
STATE_PARENT_R2(established-authenticated-ike)
pluto[15505]: | ignore states: 0
pluto[15505]: | half-open-ike states: 0
pluto[15505]: | open-ike states: 0
pluto[15505]: | established-anonymous-ike states: 0
pluto[15505]: | established-authenticated-ike states: 1
pluto[15505]: | anonymous-ipsec states: 0
pluto[15505]: | authenticated-ipsec states: 0
pluto[15505]: | informational states: 0
pluto[15505]: | unknown states: 0
pluto[15505]: | category states: 1 count states: 1
pluto[15505]: | ikev2_replace_delay() picked up estblished ike_life:3600
pluto[15505]: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
pluto[15505]: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x6ac078
pluto[15505]: | event_schedule: new EVENT_SA_EXPIRE-pe@0x6ac078
pluto[15505]: | inserting event EVENT_SA_EXPIRE, timeout in 3330.000 seconds
for #1
pluto[15505]: | **emit ISAKMP Message:
pluto[15505]: | initiator cookie:
pluto[15505]: | 85 53 5d e4 77 82 6f 26
pluto[15505]: | responder cookie:
pluto[15505]: | 65 e3 ad c8 cf 51 fe ff
pluto[15505]: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
pluto[15505]: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
pluto[15505]: | exchange type: ISAKMP_v2_AUTH (0x23)
pluto[15505]: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
pluto[15505]: | message ID: 00 00 00 01
pluto[15505]: | next payload type: saving message location 'ISAKMP
Message'.'next payload type'
pluto[15505]: | IKEv2 CERT: send a certificate?
pluto[15505]: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK
pluto[15505]: | next payload type: previous 'ISAKMP Message'.'next payload
type' matches 'IKEv2 Encryption Payload' (46:ISAKMP_NEXT_v2SK)
pluto[15505]: | ***emit IKEv2 Encryption Payload:
pluto[15505]: | next payload type: ISAKMP_NEXT_v2IDr (0x24)
pluto[15505]: | flags: none (0x0)
pluto[15505]: | next payload type: saving message location 'IKEv2 Encryption
Payload'.'next payload type'
pluto[15505]: | emitting 8 raw bytes of IV into IKEv2 Encryption Payload
pluto[15505]: | IV 45 74 83 2d 43 0f 90 e6
pluto[15505]: | ****emit IKEv2 encrypted portion:
pluto[15505]: | next payload type: previous 'IKEv2 Encryption Payload'.'next
payload type' matches 'IKEv2 Identification - Responder - Payload'
(36:ISAKMP_NEXT_v2IDr)
pluto[15505]: | *****emit IKEv2 Identification - Responder - Payload:
pluto[15505]: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
pluto[15505]: | flags: none (0x0)
pluto[15505]: | ID type: ID_FQDN (0x2)
pluto[15505]: | next payload type: saving payload location 'IKEv2
Identification - Responder - Payload'.'next payload type'
pluto[15505]: | emitting 7 raw bytes of my identity into IKEv2 Identification -
Responder - Payload
pluto[15505]: | my identity 70 61 6e 64 6f 72 61
pluto[15505]: | emitting length of IKEv2 Identification - Responder - Payload:
15
pluto[15505]: | assembled IDr payload
pluto[15505]: | CHILD SA proposals received
pluto[15505]: | going to assemble AUTH payload
pluto[15505]: | next payload type: setting 'IKEv2 Identification - Responder -
Payload'.'next payload type' to IKEv2 Authentication Payload
(39:ISAKMP_NEXT_v2AUTH)
pluto[15505]: | *****emit IKEv2 Authentication Payload:
pluto[15505]: | next payload type: ISAKMP_NEXT_v2SA (0x21)
pluto[15505]: | flags: none (0x0)
pluto[15505]: | auth method: IKEv2_AUTH_SHARED (0x2)
pluto[15505]: | next payload type: saving payload location 'IKEv2
Authentication Payload'.'next payload type'
pluto[15505]: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to
create PSK with authby=secret
pluto[15505]: | started looking for secret for @server->@roadw of kind PKK_PSK
pluto[15505]: | actually looking for secret for @server->@roadw of kind PKK_PSK
pluto[15505]: | line 2: key type PKK_PSK(@server) to type PKK_PSK
pluto[15505]: | 1: compared key 172.16.0.129 to @server / @roadw -> 000
pluto[15505]: | 2: compared key 10.0.0.13 to @server / @roadw -> 000
pluto[15505]: | 3: compared key @roadw to @server / @roadw -> 004
pluto[15505]: | 4: compared key @server to @server / @roadw -> 014
pluto[15505]: | 5: compared key 1.2.3.4 to @server / @roadw -> 014
pluto[15505]: | 6: compared key 9.8.7.6 to @server / @roadw -> 014
pluto[15505]: | line 2: match=014
pluto[15505]: | match 014 beats previous best_match 000 match=0x67ce08 (line=2)
pluto[15505]: | concluding with best_match=014 best=0x67ce08 (lineno=2)
pluto[15505]: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication
Payload
pluto[15505]: | PSK auth 0b 0c ...
pluto[15505]: | PSK auth 37 44 ...
pluto[15505]: | PSK auth 5c 8a ...
pluto[15505]: | PSK auth 91 09 ...
pluto[15505]: | emitting length of IKEv2 Authentication Payload: 72
pluto[15505]: | TS: parse initiator traffic selectors
pluto[15505]: | ***parse IKEv2 Traffic Selector:
pluto[15505]: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
pluto[15505]: | IP Protocol ID: 0 (0x0)
pluto[15505]: | length: 16 (0x10)
pluto[15505]: | start port: 0 (0x0)
pluto[15505]: | end port: 65535 (0xffff)
pluto[15505]: | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low
pluto[15505]: | ipv4 ts low 0a 00 00 8a
pluto[15505]: | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high
pluto[15505]: | ipv4 ts high 0a 00 00 8a
pluto[15505]: | TS: parse responder traffic selectors
pluto[15505]: | ***parse IKEv2 Traffic Selector:
pluto[15505]: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
pluto[15505]: | IP Protocol ID: 0 (0x0)
pluto[15505]: | length: 16 (0x10)
pluto[15505]: | start port: 0 (0x0)
pluto[15505]: | end port: 65535 (0xffff)
pluto[15505]: | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low
pluto[15505]: | ipv4 ts low b9 63 b1 ad
pluto[15505]: | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high
pluto[15505]: | ipv4 ts high b9 63 b1 ad
pluto[15505]: | ikev2_evaluate_connection_fit evaluating our conn="roadw"[1]
9.8.7.6 I=0.0.0.0/32:0/0 R=0.0.0.0/0:0/0 (virt) to their:
pluto[15505]: | tsi[0]=10.0.0.13-10.0.0.13 proto=0 portrange 0-65535,
tsr[0]=1.2.3.4-1.2.3.4 proto=0 portrange 0-65535
pluto[15505]: | prefix fitness rejected c roadw c->name
pluto[15505]: | find_host_pair: comparing 172.16.0.129:500 to 0.0.0.0:500
pluto[15505]: | find_host_pair: comparing 172.16.0.129:500 to 9.8.7.6:500
pluto[15505]: | checking hostpair 0.0.0.0/0 -> 0.0.0.0/32 is found
pluto[15505]: | match_id a=@roadw
pluto[15505]: | b=@roadw
pluto[15505]: | results matched
pluto[15505]: | investigating connection "roadw" as a better match
pluto[15505]: | ikev2_evaluate_connection_fit evaluating our conn="roadw"[1]
9.8.7.6 I=0.0.0.0/32:0/0 R=0.0.0.0/0:0/0 (virt) to their:
pluto[15505]: | tsi[0]=10.0.0.13-10.0.0.13 proto=0 portrange 0-65535,
tsr[0]=1.2.3.4-1.2.3.4 proto=0 portrange 0-65535
pluto[15505]: | prefix fitness rejected d roadw
pluto[15505]: | connection "roadw-ssh-pass" does not match IDs or CA of current
connection "roadw"
pluto[15505]: | we did not switch connection
pluto[15505]: | failed to find anything; can we instantiate another template?
pluto[15505]: | ikev2_child_sa_respond returned STF_FAIL+v2N_TS_UNACCEPTABLE
pluto[15505]: | ikev2_parent_inI2outR2_continue_tail returned
STF_FAIL+v2N_TS_UNACCEPTABLE
pluto[15505]: | processing: [RE]START state #1 connection "roadw"[1] 9.8.7.6
9.8.7.6:4500 (in complete_v2_state_transition() at ikev2.c:2788)
pluto[15505]: | #1 complete v2 state transition from STATE_PARENT_R2 with
STF_FAIL+v2N_TS_UNACCEPTABLE
pluto[15505]: | sending a notification reply
pluto[15505]: "roadw"[1] 9.8.7.6 #1: responding to AUTH message (ID 1) from
9.8.7.6:4500 with encrypted notification TS_UNACCEPTABLE
The 9.8.7.6 denotes the public IP of the NAT2 gw.
Does anyone see what can I do to get the traffic selectors right? If more
information is necessary, what do I need to send?
Many thanks,
Phil
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
