[Openswan Users]
Transport mode - something changed from 2.4.4 to 2.4.5rc7?
Brian Candler
B.Candler at pobox.com
Thu Apr 6 16:23:26 CEST 2006
Hello,
Earlier today I started debugging a problem with 2.4.4 and L2TP over IPSEC
transport mode (the connection came up OK but after a while the SA stopped
working).
But then I thought I'd upgrade openswan to 2.4.5rc7 just to be up to the
current version; and now I'm hitting an inability to deliver packets at all
once the SA is established. The far end rejects each one with
"IPSEC(epa_des_crypt): decrypted packet failed SA identity check"
Background: I'm running the client Openswan side under OpenWRT (WhiteRussian
RC5, 2.4.30 kernel). Since the flash is limited, this makes it awkward for
me to swap back and forth between versions, but I can do so if necessary.
l2tpd is the L2TP transport; Openswan provides the IPSEC layer. I'm
originating the l2tp tunnels from this side, and they're being terminated on
a Cisco 7204, IOS 12.4(7), listening on public IP address Y.Y.Y.Y. There's a
NAT router in between, so I'm relying on NAT-T as well. The OpenSwan device
is on a private IP address, 10.71.32.1, and the NAT firewall outside is
X.X.X.X
In summary:
+-----------------------------------+
| |
| X.X.X.X | Y.Y.Y.Y
NAT FW Cisco
(PIX) 7204
^
|
| 10.71.32.1
openwrt,
openswan,
l2tpd
The openswan 2.4.4 package I was using before was the one which came with
OpenWRT RC5. The 2.4.5rc7 is one I built myself under the OpenWRT buildroot
environment.
The Cisco happily accepts L2TP/IPSEC connections from Win2K and XP clients
behind NAT.
Anyway, at the Openswan/Openwrt side, I have in /etc/ipsec.conf:
version 2.0
config setup
nat_traversal=yes
conn L2TP
authby=secret
ike=3des-sha
esp=3des-sha1
pfs=no
left=%defaultroute
leftprotoport=17/1701
right=Y.Y.Y.Y
rightprotoport=17/1701
type=transport
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
As mentioned, this was working (kind of) before. Now what happens is:
* The SA seems to come up properly
root at OpenWrt:~# ipsec auto --verbose --up L2TP
002 "L2TP" #1: initiating Main Mode
104 "L2TP" #1: STATE_MAIN_I1: initiate
003 "L2TP" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "L2TP" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "L2TP" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "L2TP" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TP" #1: received Vendor ID payload [Cisco-Unity]
003 "L2TP" #1: received Vendor ID payload [Dead Peer Detection]
003 "L2TP" #1: ignoring unknown Vendor ID payload [4e63b15f82f085acd2ffbe3a4bd33689]
003 "L2TP" #1: received Vendor ID payload [XAUTH]
002 "L2TP" #1: I did not send a certificate because I do not have one.
003 "L2TP" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "L2TP" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "L2TP" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "L2TP" #1: Main mode peer ID is ID_IPV4_ADDR: 'Y.Y.Y.Y'
002 "L2TP" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "L2TP" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "L2TP" #2: initiating Quick Mode PSK+ENCRYPT+UP {using isakmp#1}
117 "L2TP" #2: STATE_QUICK_I1: initiate
003 "L2TP" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
002 "L2TP" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "L2TP" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1a6ea42b <0x29281815 xfrm=3DES_0-HMAC_SHA1 NATD=Y.Y.Y.Y:4500 DPD=none}
* However, whenever the L2TP packets are sent, encapsulated in UDP 4500,
they are discarded by the Cisco. The Cisco logs the following message:
Apr 6 14:40:53 devlns1-1 48752: Apr 6 13:40:52.122: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Apr 6 14:40:54 devlns1-1 48753: Apr 6 13:40:53.130: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Apr 6 14:40:55 devlns1-1 48754: Apr 6 13:40:54.130: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Apr 6 14:40:56 devlns1-1 48755: Apr 6 13:40:55.138: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
... etc
When I've seen this message in the past, it's been to do with the proto/port
not matching the one in the SA. The SA itself seems to be OK though: during
the quick mode negotiation, the Cisco logs the following
Apr 6 14:20:37 devlns1-1 48624: Apr 6 13:20:37.203: IPSEC(initialize_sas): ,
Apr 6 14:20:37 devlns1-1 48625: (key eng. msg.) INBOUND local= Y.Y.Y.Y, remote= X.X.X.X,
Apr 6 14:20:37 devlns1-1 48626: local_proxy= Y.Y.Y.Y/0.0.0.0/17/1701 (type=1),
Apr 6 14:20:37 devlns1-1 48627: remote_proxy= X.X.X.X/0.0.0.0/17/1701 (type=1)
Apr 6 14:20:37 devlns1-1 48628: ,
Apr 6 14:20:37 devlns1-1 48629: protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
Apr 6 14:20:37 devlns1-1 48630: lifedur= 28800s and 0kb,
Apr 6 14:20:37 devlns1-1 48631: spi= 0x1A6EA42B(443458603), conn_id= 0, keysize= 0, flags= 0x800
Apr 6 14:20:37 devlns1-1 48632: Apr 6 13:20:37.203: IPSEC(initialize_sas): ,
Apr 6 14:20:37 devlns1-1 48633: (key eng. msg.) OUTBOUND local= Y.Y.Y.Y, remote= X.X.X.X,
Apr 6 14:20:37 devlns1-1 48634: local_proxy= Y.Y.Y.Y/0.0.0.0/17/1701 (type=1),
Apr 6 14:20:37 devlns1-1 48635: remote_proxy= X.X.X.X/0.0.0.0/17/1701 (type=1),
Apr 6 14:20:37 devlns1-1 48636: protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),
Apr 6 14:20:37 devlns1-1 48637: lifedur= 28800s and 0kb,
Apr 6 14:20:37 devlns1-1 48638: spi= 0x29281815(690493461), conn_id= 0, keysize= 0, flags= 0x808
Apr 6 14:20:37 devlns1-1 48639: Apr 6 13:20:37.203: Crypto mapdb : proxy_match
Apr 6 14:20:37 devlns1-1 48640: src addr : Y.Y.Y.Y
Apr 6 14:20:37 devlns1-1 48641: dst addr : X.X.X.X
Apr 6 14:20:37 devlns1-1 48642: protocol : 17
Apr 6 14:20:37 devlns1-1 48643: src port : 1701
Apr 6 14:20:37 devlns1-1 48644: dst port : 1701
and dumping the SA looks OK too:
[Cisco side]
devlns1-1#sh crypto ipsec sa
interface: GigabitEthernet0/0.10
Crypto map tag: CRYP_MAP, local addr Y.Y.Y.Y
protected vrf: (none)
local ident (addr/mask/prot/port): (Y.Y.Y.Y/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.255/17/63247)
current_peer X.X.X.X port 63247
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 40
Translating: Inside Remote Port 63247 Outside Remote Port 1701
local crypto endpt.: Y.Y.Y.Y, remote crypto endpt.: X.X.X.X
path mtu 1600, ip mtu 1600
current outbound spi: 0x29281815(690493461)
inbound esp sas:
spi: 0x1A6EA42B(443458603)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2638, flow_id: SW:638, crypto map: CRYP_MAP
sa timing: remaining key lifetime (k/sec): (4454273/2490)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x29281815(690493461)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2842, flow_id: SW:842, crypto map: CRYP_MAP
sa timing: remaining key lifetime (k/sec): (4454279/2490)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
[Openswan side]
root at OpenWrt:~# cat /proc/net/ipsec_spi
esp0x29281815 at 10.71.32.1 ESP_3DES_HMAC_SHA1: dir=in src=Y.Y.Y.Y iv_bits=64bits iv=0xb09daae917b0ffc0 ooowin=64 alen=160 aklen=160 eklen=192 life(c,s,h)=addtime(1169,0,0) natencap=nonesp natsport=4500 natdport=4500 refcount=3 ref=23
esp0x1a6ea42b at Y.Y.Y.Y ESP_3DES_HMAC_SHA1: dir=out src=10.71.32.1 iv_bits=64bits iv=0x1f6a7d22379286dd ooowin=64 seq=40 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(5280,0,0)addtime(1169,0,0)usetime(1117,0,0)packets(40,0,0) idle=178 natencap=nonesp natsport=4500 natdport=4500 refcount=43 ref=24
root at OpenWrt:~# cat /proc/net/ipsec_eroute
40 10.71.32.1/32:1701 -> Y.Y.Y.Y/32:1701 => esp0x1a6ea42b at Y.Y.Y.Y:17
When I start sending L2TP packets, tcpdump on a hub upstream of the openswan
box shows:
14:40:37.016133 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 29) 10.71.32.1.4500 > Y.Y.Y.Y.4500: isakmp-nat-keep-alive
14:40:51.868535 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 168) 10.71.32.1.4500 > Y.Y.Y.Y.4500: UDP-encap: ESP(spi=0x1a6ea42b,seq=0x29), length 140
14:40:52.877198 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 168) 10.71.32.1.4500 > Y.Y.Y.Y.4500: UDP-encap: ESP(spi=0x1a6ea42b,seq=0x2a), length 140
14:40:53.877765 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 168) 10.71.32.1.4500 > Y.Y.Y.Y.4500: UDP-encap: ESP(spi=0x1a6ea42b,seq=0x2b), length 140
14:40:54.887194 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 168) 10.71.32.1.4500 > Y.Y.Y.Y.4500: UDP-encap: ESP(spi=0x1a6ea42b,seq=0x2c), length 140
So, the SPI is fine, but the protected packets are being rejected. This
implies, I think, that the enclosed src or dst port is wrong.
* Not sure if this is related, but when I first did "S60ipsec start" after
upgrading to 2.4.5rc7 I got:
Jan 1 00:01:05 (none) daemon.err ipsec__plutorun: ipsec_auto: fatal error in "L2TP": (/etc/ipsec.conf, line 12) unknown parameter name "leftprotoport"
This is very weird; there's nothing wrong with that declaration. So I
juggled the lines in /etc/ipsec.conf around, and it went away. I then
juggled them back again, and it stayed away :-( Ooerr. Maybe something odd
is going on with my shell or with awk.
* I tried changing to
leftprotoport=17/0
and restarting the SAs, but this doesn't make a difference; the decrypted
packets are still rejected with the same error (although the Cisco correctly
shows 17/0 instead of 17/1701)
Anybody got any ideas what's going on here?
I notice there have been a number of NAT-T related changed since 2.4.4 in
the source, in particular for NAT-T with transport mode (e.g. new compiler
defines such as I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT).
However I see that Makefile.inc has
USE_NAT_TRAVERSAL?=true
USE_NAT_TRAVERSAL_TRANSPORT_MODE?=true
and I think these should set those defines.
Any clue gratefully received...
Thanks,
Brian Candler.
P.S. Some relevant bits of config on the Cisco 7204, although I'm pretty
sure this is OK since it works with the Microsoft clients, and it worked
with Openswan 2.4.4 and the same l2tpd.
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address Y.Y.Y.Y M.M.M.M
ip access-group 100 in
ip access-group 101 out
no snmp trap link-status
no cdp enable
crypto map CRYP_MAP
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1 TS2
match address 102
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set TS2 esp-3des esp-md5-hmac
mode transport
access-list 102 permit udp host Y.Y.Y.Y eq 1701 any
access-list 102 permit udp any host Y.Y.Y.Y eq 1701
Note that 'set nat demux' is a bit of recent Cisco magic; it allows for
multiple clients behind the same NAT router, who will both be requesting
local port 1701 and remote port 1701.
More information about the Users
mailing list