Delete SA immediately after connecting with Windows and Ubuntu Client.

[FunDeckHermit]

Hello,

I have Ubuntu 18.04 server machine running Libreswan using the Auto Setup provided by this github.

issue:
When connecting with both Windows and Ubuntu clients it sends a Delete SA immediately after connecting. The following log is of a Windows client and a Ubuntu client trying to connect.

grep pluto /var/log/auth.log

10:06:48 [1] #1: STATE_MAIN_R1: sent MR1, expecting MI2
10:06:48 [1] #1: STATE_MAIN_R2: sent MR2, expecting MI3
10:06:48 [1] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103'
10:06:48 [1] #1: switched from "l2tp-psk"[1] to "l2tp-psk"
10:06:48 [2] #1: deleting connection "l2tp-psk"[1] instance with peer {isakmp=#0/ipsec=#0}
10:06:48 [2] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103'
10:06:48 [2] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
10:06:48 [2] #1: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.103/32:17/0
10:06:48 [2] #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
10:06:48 [2] #2: responding to Quick Mode proposal {msgid:fb95c48d}
10:06:48 [2] #2: us: 136.112.211.233:17/1701
10:06:48 [2] #2: them: [192.168.1.103]:17/0
10:06:48 [2] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active}
10:06:48 [2] #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active}
10:07:02 [2] #1: received Delete SA(0xc912b7dd) payload: deleting IPsec State #2
10:07:02 [2] #2: deleting other state #2 (STATE_QUICK_R2) aged 14.377s and sending notification
10:07:02 [2] #2: ESP traffic information: in=0B out=0B
10:07:02 #1: deleting state (STATE_MAIN_R3) aged 14.538s and sending notification
10:07:02 [2] : deleting connection "l2tp-psk"[2] instance with peer {isakmp=#0/ipsec=#0}


11:45:33 [3] #3: responding to Main Mode from unknown peer on port 4228
11:45:33 [3] #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
11:45:33 [3] #3: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
11:45:33 [3] #3: STATE_MAIN_R1: sent MR1, expecting MI2
11:45:33 [3] #3: STATE_MAIN_R2: sent MR2, expecting MI3
11:45:33 [3] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109'
11:45:33 [3] #3: switched from "l2tp-psk"[3] to "l2tp-psk"
11:45:33 [4] #3: deleting connection "l2tp-psk"[3] instance with peer {isakmp=#0/ipsec=#0}
11:45:33 [4] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109'
11:45:33 [4] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
11:45:33 [4] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
11:45:33 [4] #3: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.109/32:17/0
11:45:33 [4] #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
11:45:33 [4] #4: responding to Quick Mode proposal {msgid:00000001}
11:45:33 [4] #4: us: 136.112.211.233:17/1701
11:45:33 [4] #4: them: [192.168.1.109]:17/1701
11:45:33 [4] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported}
11:45:33 [4] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported}
11:46:08 [4] #3: received Delete SA(0x3c40f19c) payload: deleting IPsec State #4
11:46:08 [4] #4: deleting other state #4 (STATE_QUICK_R2) aged 35.041s and sending notification
11:46:08 [4] #4: ESP traffic information: in=0B out=0B
11:46:08 #3: deleting state (STATE_MAIN_R3) aged 35.232s and sending notification
11:46:08 [4] : deleting connection "l2tp-psk"[4] instance with peer {isakmp=#0/ipsec=#0}

my iptables look like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5275 1220K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
 1099  150K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol none
   47 11359 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
65144  123M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 policy match dir in pol ipsec
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701
  742 55489 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  206 12236 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   13   820 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1110
  402 24148 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1112
  180 11408 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1980:2520
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3000
  824 44526 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  ens3   ppp+    0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ppp+   ens3    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp+   ppp+    192.168.42.0/24      192.168.42.0/24     
    0     0 ACCEPT     all  --  ens3   *       0.0.0.0/0            192.168.43.0/24      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      ens3    192.168.43.0/24      0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 115 packets, 33283 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   14  1112 REJECT     all  --  *      *       132.232.227.102      0.0.0.0/0            reject-with icmp-port-unreachable
   16  1280 REJECT     all  --  *      *       49.231.234.73        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       130.61.121.49        0.0.0.0/0            reject-with icmp-port-unreachable
   16  1280 REJECT     all  --  *      *       93.29.187.145        0.0.0.0/0            reject-with icmp-port-unreachable
   22  1728 REJECT     all  --  *      *       88.17.180.204        0.0.0.0/0            reject-with icmp-port-unreachable
   18  1448 REJECT     all  --  *      *       219.92.16.81         0.0.0.0/0            reject-with icmp-port-unreachable
   23  1792 REJECT     all  --  *      *       151.80.234.13        0.0.0.0/0            reject-with icmp-port-unreachable
   22  1728 REJECT     all  --  *      *       68.183.85.75         0.0.0.0/0            reject-with icmp-port-unreachable
   17  1292 REJECT     all  --  *      *       119.224.53.230       0.0.0.0/0            reject-with icmp-port-unreachable
 4237 1141K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

my ipsec.conf looks like this:

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no
  nat_traversal=yes

conn shared
  left=%defaultroute
  leftid=136.112.211.233
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  cisco-unity=yes
  also=shared

[letoams]

It most likely tried to continue negotiating the L2TP part and failed, so it also tears down the IPsec component Paul Sent from mobile device

…

On Jul 3, 2019, at 07:06, mindfuucker ***@***.***> wrote: Hello, I have Ubuntu 18.04 server machine running Libreswan using the Auto Setup provided by this github. issue: When connecting with both Windows and Ubuntu clients it sends a Delete SA immediately after connecting. The following log is of a Windows client and a Ubuntu client trying to connect. grep pluto /var/log/auth.log `10:06:48 [1] #1: responding to Main Mode from unknown peer on port 1965 10:06:48 [1] #1: STATE_MAIN_R1: sent MR1, expecting MI2 10:06:48 [1] #1: STATE_MAIN_R2: sent MR2, expecting MI3 10:06:48 [1] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103' 10:06:48 [1] #1: switched from "l2tp-psk"[1] to "l2tp-psk" 10:06:48 [2] #1: deleting connection "l2tp-psk"[1] instance with peer {isakmp=#0/ipsec=#0} 10:06:48 [2] #1: Peer ID is ID_IPV4_ADDR: '192.168.1.103' 10:06:48 [2] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048} 10:06:48 [2] #1: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.103/32:17/0 10:06:48 [2] #1: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others 10:06:48 [2] #2: responding to Quick Mode proposal {msgid:fb95c48d} 10:06:48 [2] #2: us: 136.112.211.233:17/1701 10:06:48 [2] #2: them: [192.168.1.103]:17/0 10:06:48 [2] #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active} 10:06:48 [2] #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xc912b7dd <0x9a23fe0f xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.1.103 NATD=:11504 DPD=active} 10:07:02 [2] #1: received Delete SA(0xc912b7dd) payload: deleting IPsec State #2 10:07:02 [2] #2: deleting other state #2 (STATE_QUICK_R2) aged 14.377s and sending notification 10:07:02 [2] #2: ESP traffic information: in=0B out=0B 10:07:02 #1: deleting state (STATE_MAIN_R3) aged 14.538s and sending notification 10:07:02 [2] : deleting connection "l2tp-psk"[2] instance with peer {isakmp=#0/ipsec=#0} 11:45:33 [3] #3: responding to Main Mode from unknown peer on port 4228 11:45:33 [3] #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused 11:45:33 [3] #3: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused 11:45:33 [3] #3: STATE_MAIN_R1: sent MR1, expecting MI2 11:45:33 [3] #3: STATE_MAIN_R2: sent MR2, expecting MI3 11:45:33 [3] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109' 11:45:33 [3] #3: switched from "l2tp-psk"[3] to "l2tp-psk" 11:45:33 [4] #3: deleting connection "l2tp-psk"[3] instance with peer {isakmp=#0/ipsec=#0} 11:45:33 [4] #3: Peer ID is ID_IPV4_ADDR: '192.168.1.109' 11:45:33 [4] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048} 11:45:33 [4] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support 11:45:33 [4] #3: the peer proposed: 136.112.211.233/32:17/1701 -> 192.168.1.109/32:17/0 11:45:33 [4] #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others 11:45:33 [4] #4: responding to Quick Mode proposal {msgid:00000001} 11:45:33 [4] #4: us: 136.112.211.233:17/1701 11:45:33 [4] #4: them: [192.168.1.109]:17/1701 11:45:33 [4] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported} 11:45:33 [4] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3c40f19c <0x8582866e xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.1.109 NATD=:9232 DPD=unsupported} 11:46:08 [4] #3: received Delete SA(0x3c40f19c) payload: deleting IPsec State #4 11:46:08 [4] #4: deleting other state #4 (STATE_QUICK_R2) aged 35.041s and sending notification 11:46:08 [4] #4: ESP traffic information: in=0B out=0B 11:46:08 #3: deleting state (STATE_MAIN_R3) aged 35.232s and sending notification 11:46:08 [4] : deleting connection "l2tp-psk"[4] instance with peer {isakmp=#0/ipsec=#0}` my iptables look like this: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5275 1220K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 1099 150K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none 47 11359 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 65144 123M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 742 55489 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 206 12236 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 13 820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1110 402 24148 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1112 180 11408 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1980:2520 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 824 44526 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT all -- ens3 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- ppp+ ens3 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- ppp+ ppp+ 192.168.42.0/24 192.168.42.0/24 0 0 ACCEPT all -- ens3 * 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * ens3 192.168.43.0/24 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 115 packets, 33283 bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 14 1112 REJECT all -- * * 132.232.227.102 0.0.0.0/0 reject-with icmp-port-unreachable 16 1280 REJECT all -- * * 49.231.234.73 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 130.61.121.49 0.0.0.0/0 reject-with icmp-port-unreachable 16 1280 REJECT all -- * * 93.29.187.145 0.0.0.0/0 reject-with icmp-port-unreachable 22 1728 REJECT all -- * * 88.17.180.204 0.0.0.0/0 reject-with icmp-port-unreachable 18 1448 REJECT all -- * * 219.92.16.81 0.0.0.0/0 reject-with icmp-port-unreachable 23 1792 REJECT all -- * * 151.80.234.13 0.0.0.0/0 reject-with icmp-port-unreachable 22 1728 REJECT all -- * * 68.183.85.75 0.0.0.0/0 reject-with icmp-port-unreachable 17 1292 REJECT all -- * * 119.224.53.230 0.0.0.0/0 reject-with icmp-port-unreachable 4237 1141K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.