[Swan] Problems converting from OpenSWAN to LibreSWAN

Nels Lindquist nlindq at maei.ca
Fri May 9 22:23:59 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

An update:

On 5/6/2014 12:24 PM, Nels Lindquist wrote:

> I'd like to migrate my current OpenSWAN VPN endpoints to
> LibreSWAN, and to that end I've set up some testing boxes.  I've
> run into some difficulties as soon as NAT traversal is involved,
> and I'm not quite sure why.
> 
> LibreSWAN 3.8 is installed on CentOS 6.x from the EPEL yum
> repository. We're using NSS x509 certificates for authentication.
> 
> Host B resides on our DMZ.  Traffic between the DMZ network and
> the Corporate network passes through (and is restricted by) the
> firewall, but no NAT is involved.  Connections from Client A
> (Windows 7) to Host B work perfectly.  Connections from Client B to
> Host B from the Internet do not connect.  Host A, which is a mirror
> of Host B, was moved from the DMZ to a colocation facility and has
> a public IP address (no NAT).  When Host A was in the local DMZ,
> connections from Client A worked fine.  Once Host A was moved out,
> Client A (now NATted for connections to Host A) can no longer
> connect to Host A.  Client B can't connect to either Host A or Host
> B, but can connect to our legacy OpenSWAN endpoint (also behind
> NAT).
> 
> 
> |========| |========|                 N|===========|---- DMZ Net
> --- | Host B | | Host A |--- Internet --- A| Firewall  |
> |========| |========|       |         T|===========| |
> |----------- Corp Net ------| NAT
> |==========| |==========|                                 | Client
> A | | Client B |                                 |==========| 
> |==========|

After our work the other day to resolve the left=%defaultroute picking
the incorrect IP address, I tried connecting to Host A from Client B,
and this time everything worked properly.

I still can't connect from Client B to Host B, or from Client A to
Host A when going through the firewall.  If I disconnect Client A from
our network and connect it to a mobile broadband device, Client A can
connect to Host A with no other configuration changes whatsoever;
certificate authentication works; NAT traversal works, etc.

So that leaves us with our firewall or our ISP configuration
potentially causing the issues.  Our ISP provides us MPLS connectivity
between different locations, and they have a gateway which connects
the entire network to the Internat.  We've therefore got two layers of
NAT between us and the Internet--not sure if that's a problem.

I'm going to have a look more closely at our firewall and see if I can
find any issues there that might be causing this.  Still confused as
to why incoming connections to our existing OpenSWAN endpoint are
working fine, though.


- -- 
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNtK04ACgkQh6z5POoOLgSJsACfVIIgnSHiPo9MUiWH8cBfwN57
0A8An009D7LEPW4p5D2Y9s5/2Hgtr4YJ
=E4At
-----END PGP SIGNATURE-----

More information about the Swan mailing list