VPN:- IPsec L2P NAT-T not working
by setdet from LinuxQuestions.org on (#51T11)
So, I've been reading up on VPNsand managed to get a server<>client setup working using libreswan and xl2ptd. All works fine and I've systemd'd it all so nice n easy to control.
However,
Only 1 client can connect from behind my ISP router. After days and hours of late night reading a tweaking, I discovered that a limitation of IPsec is exactly this. But then I came across NAT-T so set about configuring this , Lest an Right sides. Looking at the logs/outputs I think I have NAT-T enabled both sides but two clients behind my router , will collapse the tunnel for the connected client and the one I'm trying to connect. I thought NAT-T encapsulates packets with another UDP packet to pass-through the NATs.
My router is an ISP provided router from EE - the only VPN setting it has is "Port Clamping" which I've set on and off - to no avail.
My setup is:-
* a droplet in Digital Ocean public IP a.a.a.a
* droplet running the VPN server. VPN server IP is 10.1.1.1
* nginx reverse proxy running on the server, proxying to VPN client 10.1.1.10
* ISP provided router with [dynamic] IP b.b.b.b
* clients X and Y behind ISP Router NAT.
ipsec verify on SERVER:-
Code:Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.15.0-91-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
root@ubuntu-s-1vcpu-1gb-lon1-01:~/VPN#ipsec verify on CLIENT
Code:Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.27 (netkey) on 4.19.97-v7+
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Traceback (most recent call last):
File "/usr/lib/ipsec/verify", line 426, in <module>
main()
File "/usr/lib/ipsec/verify", line 417, in main
configsetupcheck()
File "/usr/lib/ipsec/verify", line 398, in configsetupcheck
err = err.replace("Warning"," Warning")
TypeError: a bytes-like object is required, not 'str'Strange that is crashes??
server journalctl log
Code:Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: responding to Main Mode from unknown peer 95.147.158.93 on port 500
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: WARNING: connection l2tp-psk PSK length of 4 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: Peer ID is ID_IPV4_ADDR: '192.168.1.10'
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: the peer proposed: a.a.a.a/32:17/1701 -> 192.168.1.10/32:17/0
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: responding to Quick Mode proposal {msgid:fd279e64}
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: us: a.a.a.a<a.a.a.a>:17/1701
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: them: b.b.b.b:17/1701===192.168.1.10/32
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xdd5c8521 <0x83ffede6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.10 NATD=95.147.158.93:4500 DPD=passive}
Apr 06 23:05:20 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xdd5c8521 <0x83ffede6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.10 NATD=95.147.158.93:4500 DPD=passive}server side journalctl log when attempting 2nd client connectionL
Code:Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: packet from 95.147.158.93:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: responding to Main Mode from unknown peer 95.147.158.93 on port 500
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: WARNING: connection l2tp-psk PSK length of 4 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: Peer ID is ID_IPV4_ADDR: '192.168.1.197'
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: the peer proposed: a.a.a.a/32:17/1701 -> 192.168.1.197/32:17/1701
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: responding to Quick Mode proposal {msgid:01000000}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: us: a.a.a.a<a.a.a.a>:17/1701
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: them: 95.147.158.93:17/1701===192.168.1.197/32
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x6a391b62 <0x5f8c0224 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.197 NATD=95.147.158.93:1025 DPD=passive}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x6a391b62 <0x5f8c0224 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.197 NATD=95.147.158.93:1025 DPD=passive}looks pretty much the same, but the 2nd client forces the 1st client tunnel to collapse and the 2nd client cant connect either. A restart on the client of ipsec and xl2tpd is needed to restore sanity.
On the droplet firewall I have UDP 500, 4500, 1701 open and TCP 50 and 51 open.
Wondering if a super-network guru can advice if there any way to configure NAT-T and to debug it to see whats happening?
However,
Only 1 client can connect from behind my ISP router. After days and hours of late night reading a tweaking, I discovered that a limitation of IPsec is exactly this. But then I came across NAT-T so set about configuring this , Lest an Right sides. Looking at the logs/outputs I think I have NAT-T enabled both sides but two clients behind my router , will collapse the tunnel for the connected client and the one I'm trying to connect. I thought NAT-T encapsulates packets with another UDP packet to pass-through the NATs.
My router is an ISP provided router from EE - the only VPN setting it has is "Port Clamping" which I've set on and off - to no avail.
My setup is:-
* a droplet in Digital Ocean public IP a.a.a.a
* droplet running the VPN server. VPN server IP is 10.1.1.1
* nginx reverse proxy running on the server, proxying to VPN client 10.1.1.10
* ISP provided router with [dynamic] IP b.b.b.b
* clients X and Y behind ISP Router NAT.
ipsec verify on SERVER:-
Code:Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 4.15.0-91-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
root@ubuntu-s-1vcpu-1gb-lon1-01:~/VPN#ipsec verify on CLIENT
Code:Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.27 (netkey) on 4.19.97-v7+
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OBSOLETE]
003 WARNING: using a weak secret (PSK)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
Traceback (most recent call last):
File "/usr/lib/ipsec/verify", line 426, in <module>
main()
File "/usr/lib/ipsec/verify", line 417, in main
configsetupcheck()
File "/usr/lib/ipsec/verify", line 398, in configsetupcheck
err = err.replace("Warning"," Warning")
TypeError: a bytes-like object is required, not 'str'Strange that is crashes??
server journalctl log
Code:Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: responding to Main Mode from unknown peer 95.147.158.93 on port 500
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: WARNING: connection l2tp-psk PSK length of 4 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: Peer ID is ID_IPV4_ADDR: '192.168.1.10'
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: the peer proposed: a.a.a.a/32:17/1701 -> 192.168.1.10/32:17/0
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #11: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: responding to Quick Mode proposal {msgid:fd279e64}
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: us: a.a.a.a<a.a.a.a>:17/1701
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: them: b.b.b.b:17/1701===192.168.1.10/32
Apr 06 23:05:19 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xdd5c8521 <0x83ffede6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.10 NATD=95.147.158.93:4500 DPD=passive}
Apr 06 23:05:20 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xdd5c8521 <0x83ffede6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.10 NATD=95.147.158.93:4500 DPD=passive}server side journalctl log when attempting 2nd client connectionL
Code:Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: packet from 95.147.158.93:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: responding to Main Mode from unknown peer 95.147.158.93 on port 500
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: WARNING: connection l2tp-psk PSK length of 4 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: Peer ID is ID_IPV4_ADDR: '192.168.1.197'
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=DH20}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: the peer proposed: a.a.a.a/32:17/1701 -> 192.168.1.197/32:17/1701
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[6] 95.147.158.93 #13: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: responding to Quick Mode proposal {msgid:01000000}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: us: a.a.a.a<a.a.a.a>:17/1701
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: them: 95.147.158.93:17/1701===192.168.1.197/32
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x6a391b62 <0x5f8c0224 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.197 NATD=95.147.158.93:1025 DPD=passive}
Apr 06 23:08:50 ubuntu-s-1vcpu-1gb-lon1-01 pluto[11681]: "l2tp-psk"[7] 95.147.158.93 #14: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x6a391b62 <0x5f8c0224 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.197 NATD=95.147.158.93:1025 DPD=passive}looks pretty much the same, but the 2nd client forces the 1st client tunnel to collapse and the 2nd client cant connect either. A restart on the client of ipsec and xl2tpd is needed to restore sanity.
On the droplet firewall I have UDP 500, 4500, 1701 open and TCP 50 and 51 open.
Wondering if a super-network guru can advice if there any way to configure NAT-T and to debug it to see whats happening?