New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delete SA immediately after connecting with Windows and Ubuntu Client. #254
Comments
It most likely tried to continue negotiating the L2TP part and failed, so it also tears down the IPsec component
Paul
Sent from mobile device
… On Jul 3, 2019, at 07:06, mindfuucker ***@***.***> wrote:
Hello,
I have Ubuntu 18.04 server machine running Libreswan using the Auto Setup provided by this github.
issue:
When connecting with both Windows and Ubuntu clients it sends a Delete SA immediately after connecting. The following log is of a Windows client and a Ubuntu client trying to connect.
grep pluto /var/log/auth.log
`10:06:48 [1] #1: responding to Main Mode from unknown peer on port 1965
10:06:48 [1] #1: STATE_MAIN_R1: sent MR1, expecting MI2
10:06:48 [1] #1: STATE_MAIN_R2: sent MR2, expecting MI3
10:06:48 [1] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103'
10:06:48 [1] #1: switched from "l2tp-psk"[1] to "l2tp-psk"
10:06:48 [2] #1: deleting connection "l2tp-psk"[1] instance with peer {isakmp=#0/ipsec=#0}
10:06:48 [2] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103'
10:06:48 [2] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
10:06:48 [2] #1: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.103/32:17/0
10:06:48 [2] #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
10:06:48 [2] #2: responding to Quick Mode proposal {msgid:fb95c48d}
10:06:48 [2] #2: us: 136.112.211.233:17/1701
10:06:48 [2] #2: them: [192.168.1.103]:17/0
10:06:48 [2] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active}
10:06:48 [2] #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active}
10:07:02 [2] #1: received Delete SA(0xc912b7dd) payload: deleting IPsec State #2
10:07:02 [2] #2: deleting other state #2 (STATE_QUICK_R2) aged 14.377s and sending notification
10:07:02 [2] #2: ESP traffic information: in=0B out=0B
10:07:02 #1: deleting state (STATE_MAIN_R3) aged 14.538s and sending notification
10:07:02 [2] : deleting connection "l2tp-psk"[2] instance with peer {isakmp=#0/ipsec=#0}
11:45:33 [3] #3: responding to Main Mode from unknown peer on port 4228
11:45:33 [3] #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
11:45:33 [3] #3: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
11:45:33 [3] #3: STATE_MAIN_R1: sent MR1, expecting MI2
11:45:33 [3] #3: STATE_MAIN_R2: sent MR2, expecting MI3
11:45:33 [3] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109'
11:45:33 [3] #3: switched from "l2tp-psk"[3] to "l2tp-psk"
11:45:33 [4] #3: deleting connection "l2tp-psk"[3] instance with peer {isakmp=#0/ipsec=#0}
11:45:33 [4] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109'
11:45:33 [4] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
11:45:33 [4] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
11:45:33 [4] #3: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.109/32:17/0
11:45:33 [4] #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
11:45:33 [4] #4: responding to Quick Mode proposal {msgid:00000001}
11:45:33 [4] #4: us: 136.112.211.233:17/1701
11:45:33 [4] #4: them: [192.168.1.109]:17/1701
11:45:33 [4] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported}
11:45:33 [4] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported}
11:46:08 [4] #3: received Delete SA(0x3c40f19c) payload: deleting IPsec State #4
11:46:08 [4] #4: deleting other state #4 (STATE_QUICK_R2) aged 35.041s and sending notification
11:46:08 [4] #4: ESP traffic information: in=0B out=0B
11:46:08 #3: deleting state (STATE_MAIN_R3) aged 35.232s and sending notification
11:46:08 [4] : deleting connection "l2tp-psk"[4] instance with peer {isakmp=#0/ipsec=#0}`
my iptables look like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5275 1220K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
1099 150K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none
47 11359 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
65144 123M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
742 55489 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
206 12236 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
13 820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1110
402 24148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1112
180 11408 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1980:2520
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
824 44526 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- ens3 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- ppp+ ens3 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.42.0/24
0 0 ACCEPT all -- ens3 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * ens3 192.168.43.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 115 packets, 33283 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
14 1112 REJECT all -- * * 132.232.227.102 0.0.0.0/0 reject-with icmp-port-unreachable
16 1280 REJECT all -- * * 49.231.234.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 130.61.121.49 0.0.0.0/0 reject-with icmp-port-unreachable
16 1280 REJECT all -- * * 93.29.187.145 0.0.0.0/0 reject-with icmp-port-unreachable
22 1728 REJECT all -- * * 88.17.180.204 0.0.0.0/0 reject-with icmp-port-unreachable
18 1448 REJECT all -- * * 219.92.16.81 0.0.0.0/0 reject-with icmp-port-unreachable
23 1792 REJECT all -- * * 151.80.234.13 0.0.0.0/0 reject-with icmp-port-unreachable
22 1728 REJECT all -- * * 68.183.85.75 0.0.0.0/0 reject-with icmp-port-unreachable
17 1292 REJECT all -- * * 119.224.53.230 0.0.0.0/0 reject-with icmp-port-unreachable
4237 1141K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I have Ubuntu 18.04 server machine running Libreswan using the Auto Setup provided by this github.
issue:
When connecting with both Windows and Ubuntu clients it sends a Delete SA immediately after connecting. The following log is of a Windows client and a Ubuntu client trying to connect.
grep pluto /var/log/auth.log
my iptables look like this:
my ipsec.conf looks like this:
The text was updated successfully, but these errors were encountered: