Ikev2 stops serving multiple clients behind the same NAT after ubuntu update.

[gruntemannen]

Running ubuntu 20.04 server with standard setup, added ikev2 to enable multiple clients behind same NAT to work. All good until recent update of ubuntu. After standard apt upgrade yesterday (03.16.2022) one client can connect, and when the second client from behind the same NAT connects, the first loses connection. The following can be found in the pluto log when that happens:

Mar 17 10:05:03 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: established Child SA using #8; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x23bb7c90 <0x39bc5ddf xfrm=AES_GCM_16_128-NONE NATD=x.x.x.x:64916 DPD=active} Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: ESP traffic information: in=870KB out=261KB Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x: kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard)(in) encountered unexpected policy Mar 17 10:05:12 vpn pluto[1908]: ERROR: "ikev2-cp"[1] x.x.x.x #9: kernel: xfrm XFRM_MSG_DELPOLICYdelete(UNUSED) response for flow (in): No such file or directory (errno 2) Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: raw_policy in teardown_half_ipsec_sa() failed to delete inbound Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #8: established IKE SA Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #8: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 9.53186s and NOT sending notification

VPN server running on ARM64 Oracle IaaS.

Any ideas?

[letoams]

I believe this is a bug in libreswan 4.6. We are about to release 4.7, but if you don’t want to wait please try downgrading to 4.5

Sent using a virtual keyboard on a phone

On Mar 17, 2022, at 08:03, gruntemannen @.***> wrote:

 Running ubuntu 20.04 server with standard setup, added ikev2 to enable multiple clients behind same NAT to work. All good until recent update of ubuntu. After standard apt upgrade yesterday (03.16.2022) one client can connect, and when the second client from behind the same NAT connects, the first loses connection. The following can be found in the pluto log when that happens:

Mar 17 10:05:03 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: established Child SA using #8; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x23bb7c90 <0x39bc5ddf xfrm=AES_GCM_16_128-NONE NATD=x.x.x.x:64916 DPD=active} Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: ESP traffic information: in=870KB out=261KB Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x: kernel: xfrm XFRM_MSG_DELPOLICY for flow %discard(discard)(in) encountered unexpected policy Mar 17 10:05:12 vpn pluto[1908]: ERROR: "ikev2-cp"[1] x.x.x.x #9: kernel: xfrm XFRM_MSG_DELPOLICYdelete(UNUSED) response for flow (in): No such file or directory (errno 2) Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #9: raw_policy in teardown_half_ipsec_sa() failed to delete inbound Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #8: established IKE SA Mar 17 10:05:12 vpn pluto[1908]: "ikev2-cp"[1] x.x.x.x #8: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 9.53186s and NOT sending notification

VPN server running on ARM64 Oracle IaaS.

Any ideas?

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.

[gruntemannen]

Understood. Instructions on how to downgrade without breaking the current setup would be much appreciated?

[letoams]

Depends on the Linux OS? On rpm bard systems you might be able to do “sudo yum downgrade libreswan”

Sent using a virtual keyboard on a phone

On Mar 17, 2022, at 11:40, gruntemannen @.***> wrote:

 Understood. Instructions on how to downgrade without breaking the current setup would be much appreciated?

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[gruntemannen]

Minimal Ubuntu 20.04 (ARM) only running this VPN. Checking the package libreswan tells me:

apt policy libreswan

libreswan: Installed: (none) Candidate: 3.29-2build1 Version table: 3.29-2build1 500

Please advise?

[letoams]

On Thu, 17 Mar 2022, gruntemannen wrote:

Minimal Ubuntu 20.04 (ARM) only running this VPN. Checking the package libreswan tells me:

                        apt policy libreswan

libreswan: Installed: (none) Candidate: 3.29-2build1 Version table: 3.29-2build1 500

Please advise?

That is super old. I have no advise. You can try compiling it yourself?

wget download.libreswan.org/librenswan-4.5.tar.gz tar zxvf libreswan-4.5.tar.gz cd libreswan-4.5 make deb dpkg -i ../libreswan-4.5.deb (not sure of exact filename produced)

[hwdsl2]

@gruntemannen To downgrade to 4.5, run:

wget https://git.io/vpnupgrade -qO vpnup.sh
# Edit vpnup.sh and replace SWAN_VER= with SWAN_VER=4.5
# After that, run:
sudo sh vpnup.sh

[gruntemannen]

The downgrade to 4.5 worked, but the problem still remains. Using IKEv2, once the second client connects using the same certificate, the first one is kicked out.

[gruntemannen]

Actually, the problem is described here. https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#unable-to-connect-multiple-ikev2-clients Closing the issue but hoping that in the future the same client creds could be supported for multiple connections.

[leeartem]

I believe this is a bug in libreswan 4.6. We are about to release 4.7, but if you don’t want to wait please try downgrading to 4.5

Hello. How is it long until the release?