[Swan] Questions about XAUTH connections

Nels Lindquist nlindq at maei.ca
Wed Aug 27 19:21:23 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In experimenting with XAUTH connections as an alternative to L2TP,
I've run into a couple of things.

1.  Routing - With L2TP, the ppp[n] interface becomes active and
routing is set up automatically, possibly by pppd or xl2tpd?  When I
bring up an IPSEC+XAUTH connection, the (Shrewsoft) client is
correctly getting one of the IP addresses specified in
rightaddresspool, the "leftsubnet" network is added to the local
client routing table and the client is able to ping the internal
private IP of the LibreSWAN endpoint.  However, if I attempt to
connect to anything beyond the endpoint, I don't get any response
traffic from the other side.

I verified my firewall rules and the client packets are being passed
to the internal interface, but a tcpdump shows only repeated arp
requests from the target IP asking for the location of the client,
with no answers provided.  As the target can't find the client's
location, no response traffic is forthcoming.  I feel that I've missed
a simple option somewhere...

I've also noticed that when the tunnel is first brought up, no traffic
to the client IP goes through until packets are first received from
the client.  eg, Bring up tunnel, try to ping client from server;
nothing.  Ping server from client; success.  Ping client from server
again, success.

2.  Multinet - I'd prefer not to use leftsubnet=0.0.0.0/0 as I'd like
the local default routes, etc. to remain on the clients.  However it
would be nice to provide access in some instances to multiple private
networks behind the endpoint.  I tried replacing leftsubnet= with
leftsubnets= and variants of { 192.168.0.0/24 172.16.0.0/24 } or
"192.168.0.0/24, 172.16.0.0/24" as per the manpages/multinet samples I
could find, but in either instance when I attempt to replace the
connection I receive:

023 address family inconsistency in this/that connection
036 attempt to load incomplete connection

I'd be grateful for any advice, or references to appropriate Fine Manuals.


- -- 
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlP+BX8ACgkQh6z5POoOLgSqqACffNpVojiULO0cWi/S7993coQK
cdgAnjQWohCmGn93WK1f1jOJ4qn9UewJ
=Kg4e
-----END PGP SIGNATURE-----

More information about the Swan mailing list