multiple users behind same NAT

lldev0 commented 3 years ago

Describe the issue Hello, i think i am experiencing the same issue as was described here https://github.com/hwdsl2/setup-ipsec-vpn/issues/691 Only one windows PC can connect at the same time, if I try to connect one windows PC and one iPhone they both works fine, issue is only if two Windows PC As far as I know this issue with NAT should be fixed since libreswan 3.30 , maybe I have some misconfiguration, could you help me ? Thank you very much!

Steps to reproduce issue

fresh installation of debian 10 (local VPS provider outside of my home network)
using vpnsetup.sh to install Libreswan 4.4
add 3 different users (one for every device)
connect user1 on Windows PC 1 via IPsec/L2TP on my home network behind NAT - works fine
connect user2 on Windows PC 2 via IPsec/L2TP on my home network behind NAT - not able if user1 is connected
connect user3 on iPhone via IPsec/L2TPon my home network behind NAT - works fine even with user1 connected

Logs

First windows PC connected successfully:
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: responding to Main Mode from unknown peer *SERVER_IP*:500
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: sent Main Mode R1
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: sent Main Mode R2
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: Peer ID is ID_IPV4_ADDR: '192.168.15.49'
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP* #24: switched from "l2tp-psk"[14] *SERVER_IP* to "l2tp-psk"
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[14] *SERVER_IP*: deleting connection instance with peer *SERVER_IP* {isakmp=#0/ipsec=#0}
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #24: Peer ID is ID_IPV4_ADDR: '192.168.15.49'
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #24: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #24: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #24: the peer proposed: *HOME_WAN_IP*/32:1701 -UDP-> 192.168.15.49/32:1701
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #24: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #25: responding to Quick Mode proposal {msgid:00000001}
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #25:     us: *HOME_WAN_IP*:17/1701  them: *SERVER_IP*[192.168.15.49]:17/1701
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #25: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0xebcaa2f4 <0xe911bfc9 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.15.49 NATD=*SERVER_IP*:4500 DPD=unsupported}
Jul 16 16:38:01 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #25: IPsec SA established transport mode {ESPinUDP=>0xebcaa2f4 <0xe911bfc9 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=192.168.15.49 NATD=*SERVER_IP*:4500 DPD=unsupported}

Second windows PC failed:
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: responding to Main Mode from unknown peer *SERVER_IP*:6
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: sent Main Mode R1
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: sent Main Mode R2
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: Peer ID is ID_IPV4_ADDR: '192.168.15.2'
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #26: switched from "l2tp-psk"[15] *SERVER_IP* to "l2tp-psk"
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: Peer ID is ID_IPV4_ADDR: '192.168.15.2'
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: the peer proposed: *HOME_WAN_IP*/32:1701 -UDP-> 192.168.15.2/32:1701
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: responding to Quick Mode proposal {msgid:00000001}
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27:     us: *HOME_WAN_IP*:17/1701  them: *SERVER_IP*[192.168.15.2]:17/1701
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: cannot install eroute -- it is in use for "l2tp-psk"[15] *SERVER_IP* #25
Jul 16 16:38:15 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: state transition function for STATE_QUICK_R0 had internal error
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: received Delete SA payload: self-deleting ISAKMP State #26
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #26: deleting state (STATE_MAIN_R3) aged 57.104847s and sending notification
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: expire pending CHILD SA - the IKE SA #26 is going away
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: deleting state (STATE_QUICK_R0) aged 57.053224s and NOT sending notification
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: ERROR: netlink response for Del SA esp.da813960@*SERVER_IP* included errno 3: No such process
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP* #27: ERROR: netlink response for Del SA esp.a272e605@*HOME_WAN_IP* included errno 3: No such process
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[16] *SERVER_IP*: deleting connection instance with peer *SERVER_IP* {isakmp=#0/ipsec=#0}
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #28: responding to Main Mode from unknown peer *SERVER_IP*:6
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #28: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #28: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Jul 16 16:39:13 server pluto[12275]: "l2tp-psk"[15] *SERVER_IP* #28: sent Main Mode R1

Server (please complete the following information)

OS: Debian 10
fresh installation

Client (please complete the following information)

Device: Widndows 10 laptop
VPN mode: IPsec/L2TP

hwdsl2 commented 3 years ago

@lldev0 Hello! There is a known limitation for connecting multiple IPsec/L2TP clients from behind the same NAT, as mentioned in the README. For this use case, please instead use IKEv2 mode (recommended) or IPsec/XAuth ("Cisco IPsec") mode.

Due to Windows IPsec/L2TP native client implementation, multiple clients would all try to use the UDP 500 and 4500 source ports on your router. This causes a conflict and therefore it is not possible to connect multiple such clients from behind the same NAT.

letoams commented 3 years ago

On Fri, 16 Jul 2021, lldev0 wrote:

Describe the issue Hello, i think i am experiencing the same issue as was described here #691 Only one windows PC can connect at the same time, if I try to connect one windows PC and one iPhone they both works fine, issue is only if two Windows PC As far as I know this issue with NAT should be fixed since libreswan 3.30 , maybe I have some misconfiguration, could you help me ?

Please migrate your L2TP solution to an IKEv2 solution to resolve your issue.

Paul

lldev0 commented 3 years ago

Please migrate your L2TP solution to an IKEv2 solution to resolve your issue. Paul

Thats possible solution, but another issue is that with IKEv2 i cant assign static IP addresses to clients - only with L2TP

anyway thanks for help to all

letoams commented 3 years ago

On Fri, 16 Jul 2021, lldev0 wrote:

  Please migrate your L2TP solution to an IKEv2 solution to resolve your issue. Paul
Thats possible solution, but another issue is that with IKEv2 i cant assign static IP addresses to clients - only with L2TP

I created https://github.com/libreswan/libreswan/issues/473 to track this feature request.

hwdsl2 / setup-ipsec-vpn

multiple users behind same NAT #987