[Openswan Users] "cannot install eroute" occurs for Mac OSX users behind same NAT (v2.6.33)

Richard Schmidt huntingtonsurfca at gmail.com
Tue May 17 14:42:04 EDT 2011


Hey,

I think when the OSX workaround was applied (in .33 I believe), it broke functionality for multiple Mac OSX users behind NAT.

I've provided a transcript of the pluto log. Perhaps you can shed some light on how to fix this? I think SAref tracking was mentioned in an ancient email involving eroute, except I wouldn't know how to go about doing that for road-warriors on cellular data networks.

From what I can tell, when the subnet proposal is ignored, two Mac OSX users look like the same connection when attempting to connect from the same NAT. This causes the "eroute" error. I may be wrong, though.

Using OpenSwan v2.6.33 and xl2tpd v1.2.8

See below:

Apr 29 14:40:28 linux-desktop ipsec__plutorun: Starting Pluto subsystem...
Apr 29 14:40:28 linux-desktop pluto[1270]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:1270
Apr 29 14:40:28 linux-desktop pluto[1270]: LEAK_DETECTIVE support [disabled]
Apr 29 14:40:28 linux-desktop pluto[1270]: OCF support for IKE [disabled]
Apr 29 14:40:28 linux-desktop pluto[1270]: SAref support [disabled]: Protocol not available
Apr 29 14:40:28 linux-desktop pluto[1270]: SAbind support [disabled]: Protocol not available
Apr 29 14:40:28 linux-desktop pluto[1270]: NSS support [disabled]
Apr 29 14:40:28 linux-desktop pluto[1270]: HAVE_STATSD notification support not compiled in
Apr 29 14:40:28 linux-desktop pluto[1270]: Setting NAT-Traversal port-4500 floating to on
Apr 29 14:40:28 linux-desktop pluto[1270]:    port floating activation criteria nat_t=1/port_float=1
Apr 29 14:40:28 linux-desktop pluto[1270]:    NAT-Traversal support  [enabled]
Apr 29 14:40:28 linux-desktop pluto[1270]: using /dev/urandom as source of random entropy
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 29 14:40:28 linux-desktop pluto[1270]: starting up 1 cryptographic helpers
Apr 29 14:40:28 linux-desktop pluto[1270]: started helper pid=1274 (fd:7)
Apr 29 14:40:28 linux-desktop pluto[1270]: Using Linux 2.6 IPsec interface code on 2.6.35-28-generic (experimental code)
Apr 29 14:40:28 linux-desktop pluto[1274]: using /dev/urandom as source of random entropy
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_add(): ERROR: Algorithm already exists
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_add(): ERROR: Algorithm already exists
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_add(): ERROR: Algorithm already exists
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_add(): ERROR: Algorithm already exists
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_add(): ERROR: Algorithm already exists
Apr 29 14:40:30 linux-desktop pluto[1270]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Apr 29 14:40:30 linux-desktop pluto[1270]: Changed path to directory '/etc/ipsec.d/cacerts'
Apr 29 14:40:30 linux-desktop pluto[1270]: Changed path to directory '/etc/ipsec.d/aacerts'
Apr 29 14:40:30 linux-desktop pluto[1270]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Apr 29 14:40:30 linux-desktop pluto[1270]: Changing to directory '/etc/ipsec.d/crls'
Apr 29 14:40:30 linux-desktop pluto[1270]:   Warning: empty directory
Apr 29 14:40:30 linux-desktop pluto[1270]: added connection description "L2TP-PSK-NAT"
Apr 29 14:40:30 linux-desktop pluto[1270]: added connection description "L2TP-PSK-noNAT"
Apr 29 14:40:30 linux-desktop pluto[1270]: added connection description "passthrough-for-non-l2tp"
Apr 29 14:40:30 linux-desktop pluto[1270]: listening for IKE messages
Apr 29 14:40:30 linux-desktop pluto[1270]: adding interface eth2/eth2 LEFT_PUBLIC_IP:500
Apr 29 14:40:30 linux-desktop pluto[1270]: adding interface eth2/eth2 LEFT_PUBLIC_IP:4500
Apr 29 14:40:30 linux-desktop pluto[1270]: adding interface lo/lo 127.0.0.1:500
Apr 29 14:40:30 linux-desktop pluto[1270]: adding interface lo/lo 127.0.0.1:4500
Apr 29 14:40:30 linux-desktop pluto[1270]: adding interface lo/lo ::1:500
Apr 29 14:40:30 linux-desktop pluto[1270]: loading secrets from "/etc/ipsec.secrets"
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [RFC 3947] method set to=109 
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr 29 14:42:16 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:351: received Vendor ID payload [Dead Peer Detection]
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: responding to Main Mode from unknown peer RIGHT_PUBLIC_IP
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_PRIVATE_IP_ALICE'
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[1] RIGHT_PUBLIC_IP #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: deleting connection "L2TP-PSK-NAT" instance with peer RIGHT_PUBLIC_IP {isakmp=#0/ipsec=#0}
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: new NAT mapping for #1, was RIGHT_PUBLIC_IP:351, now RIGHT_PUBLIC_IP:13670
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Apr 29 14:42:16 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: Dead Peer Detection (RFC 3706): enabled
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #1: the peer proposed: LEFT_PUBLIC_IP/32:17/1701 -> RIGHT_PUBLIC_IP/32:17/1701
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: responding to Quick Mode proposal {msgid:106040be}
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2:     us: LEFT_PUBLIC_IP<LEFT_PUBLIC_IP>[+S=C]:17/1701
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2:   them: RIGHT_PUBLIC_IP[RIGHT_PRIVATE_IP_ALICE,+S=C]:17/1701
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: Dead Peer Detection (RFC 3706): enabled
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 29 14:42:17 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x067b7484 <0x87fb8293 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=RIGHT_PUBLIC_IP:13670 DPD=enabled}
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [RFC 3947] method set to=109 
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Apr 29 14:42:33 linux-desktop pluto[1270]: packet from RIGHT_PUBLIC_IP:353: received Vendor ID payload [Dead Peer Detection]
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: responding to Main Mode from unknown peer RIGHT_PUBLIC_IP
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: Main mode peer ID is ID_IPV4_ADDR: 'RIGHT_PRIVATE_IP_BOB'
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #3: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: new NAT mapping for #3, was RIGHT_PUBLIC_IP:353, now RIGHT_PUBLIC_IP:13696
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: Dead Peer Detection (RFC 3706): enabled
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 29 14:42:33 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: received and ignored informational message
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: the peer proposed: LEFT_PUBLIC_IP/32:17/1701 -> RIGHT_PUBLIC_IP/32:17/1701
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #4: responding to Quick Mode proposal {msgid:5f8abfa6}
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #4:     us: LEFT_PUBLIC_IP<LEFT_PUBLIC_IP>[+S=C]:17/1701
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #4:   them: RIGHT_PUBLIC_IP[RIGHT_PRIVATE_IP_BOB,+S=C]:17/1701
Apr 29 14:42:34 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #4: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[2] RIGHT_PUBLIC_IP #2
Apr 29 14:42:37 linux-desktop pluto[1270]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #4: discarding duplicate packet; already STATE_QUICK_R0
Apr 29 14:43:26 linux-desktop pluto[1270]: last message repeated 8 times



More information about the Users mailing list