search

libreswan / libreswan

libreswan
https://libreswan.org/
Other
853 stars 225 forks source link

left=%defaultroute not working when "ip route list" has "src" in the default route #177

Closed hwdsl2 closed 6 years ago

hwdsl2 commented 6 years ago

(Please see my latest comment below)

In Ubuntu 18.04 under Linux kernel 4.15, if the VPN server is behind NAT e.g. Amazon EC2 Virtual Machine, specifying left=%defaultroute in /etc/ipsec.conf does not work and results in an error:

May  5 21:57:33 myhost pluto[XXX]: connection l2tp-psk must specify host IP address for our side
May  5 21:57:33 myhost pluto[XXX]: Failed to load connection "l2tp-psk": attempt to load incomplete connection
May  5 21:57:33 myhost pluto[XXX]: connection xauth-psk must specify host IP address for our side
May  5 21:57:33 myhost pluto[XXX]: Failed to load connection "xauth-psk": attempt to load incomplete connection

Libreswan version: 3.23

/etc/ipsec.conf:

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=VPN_SERVER_PUBLIC_IP
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8, 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared

This looks like a bug in Libreswan when trying to obtain the default route local IP under Linux kernel 4.15. Can you please look into it? Thank you.

letoams commented 6 years ago

Can you post the output of ip route list and ip addr show ?

Sent from my iPhone

On May 5, 2018, at 18:12, Lin Song notifications@github.com wrote:

In Ubuntu or Debian, under Linux kernels 4.14 and 4.15, if the VPN server is behind NAT e.g. Raspberry Pi at home or Amazon EC2 Virtual Machine, specifying left=%defaultroute in /etc/ipsec.conf does not work and results in an error:

May 5 21:57:33 myhost pluto[XXX]: connection l2tp-psk must specify host IP address for our side May 5 21:57:33 myhost pluto[XXX]: Failed to load connection "l2tp-psk": attempt to load incomplete connection May 5 21:57:33 myhost pluto[XXX]: connection xauth-psk must specify host IP address for our side May 5 21:57:33 myhost pluto[XXX]: Failed to load connection "xauth-psk": attempt to load incomplete connection /etc/ipsec.conf:

version 2.0

config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24 protostack=netkey interfaces=%defaultroute uniqueids=no

conn shared left=%defaultroute leftid=VPN_SERVER_PUBLIC_IP right=%any encapsulation=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes

conn l2tp-psk auto=add leftprotoport=17/1701 rightprotoport=17/%any type=transport phase2=esp also=shared

conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=192.168.43.10-192.168.43.250 modecfgdns="8.8.8.8, 8.8.4.4" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=file ike-frag=yes ikev2=never cisco-unity=yes also=shared This looks like a bug in Libreswan when trying to obtain the default route local IP under Linux 4.14/4.15 kernels. Can you please look into it? Thank you.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

hwdsl2 commented 6 years ago 
# ip route list
default via 172.31.0.1 dev eth0 proto dhcp src 172.31.1.225 metric 100 
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.225 
172.31.0.1 dev eth0 proto dhcp scope link src 172.31.1.225 metric 100

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 06:6a:48:5a:b1:12 brd ff:ff:ff:ff:ff:ff
    inet 172.31.1.225/20 brd 172.31.15.255 scope global dynamic eth0
       valid_lft 3569sec preferred_lft 3569sec
    inet6 fe80::46a:48ff:fe5a:b112/64 scope link 
       valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

By the way, in addition to Linux kernel 4.15, this issue also occurs on a Raspberry Pi 3 with kernel 4.9 and Raspbian 9 (Stretch).

hwdsl2 commented 6 years ago

@letoams I did some further investigation and found the root cause of this issue. On a Ubuntu 18.04 (Bionic) VM in Amazon EC2:

$ ip route list
default via 172.31.0.1 dev eth0 proto dhcp src 172.31.11.2 metric 100 
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.11.2 
172.31.0.1 dev eth0 proto dhcp scope link src 172.31.11.2 metric 100

Specifying left=%defaultroute in /etc/ipsec.conf, as discussed earlier in this issue, does not work and results in an error:

May  5 21:57:33 myhost pluto[XXX]: connection l2tp-psk must specify host IP address for our side
May  5 21:57:33 myhost pluto[XXX]: Failed to load connection "l2tp-psk": attempt to load incomplete connection
May  5 21:57:33 myhost pluto[XXX]: connection xauth-psk must specify host IP address for our side
May  5 21:57:33 myhost pluto[XXX]: Failed to load connection "xauth-psk": attempt to load incomplete connection

Now if I replace the default route by removing the src 172.31.11.2 part:

$ ip route replace default via 172.31.0.1 dev eth0 proto dhcp metric 100

After that, ip route list says:

$ ip route list
default via 172.31.0.1 dev eth0 proto dhcp metric 100 
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.11.2 
172.31.0.1 dev eth0 proto dhcp scope link src 172.31.11.2 metric 100

Finally I restarted the ipsec service and now the connections get added successfully:

May 18 04:17:58 myhost pluto[XXX]: added connection description "l2tp-psk"
May 18 04:17:58 myhost pluto[XXX]: added connection description "xauth-psk"

I believe this could be a bug in Libreswan where left=%defaultroute does not work if there is a src ... part in the default route? Can you please look into it?

In addition to Ubuntu 18.04 on Amazon EC2 (Linux kernel 4.15.0-1007-aws), this issue has also been observed on a Raspberry Pi 3 with kernel 4.9.x running Raspbian 9 Stretch. Both the EC2 VM and the RPi are behind NAT.