[Swan] Questions about XAUTH connections

Nels Lindquist nlindq at maei.ca
Fri Aug 29 22:38:35 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/27/2014 10:28 AM, Paul Wouters wrote:
> On Wed, 27 Aug 2014, Nels Lindquist wrote:
> 
>> 1.  Routing - With L2TP, the ppp[n] interface becomes active and 
>> routing is set up automatically, possibly by pppd or xl2tpd?
>> When I bring up an IPSEC+XAUTH connection, the (Shrewsoft) client
>> is correctly getting one of the IP addresses specified in 
>> rightaddresspool, the "leftsubnet" network is added to the local 
>> client routing table and the client is able to ping the internal 
>> private IP of the LibreSWAN endpoint.  However, if I attempt to 
>> connect to anything beyond the endpoint, I don't get any
>> response traffic from the other side.
> 
> Check /etc/sysctl.conf ?

net.ipv4.ip_forward=1 and all the rp_filter stuff passes "ipsec
verify" so I'm not sure if there's anything else to check.

> Possibly, your VPN needs to do SNAT/MASQ if you're planning to go
> out on the internet with this. But exclude whatever local RFC1918
> you use

Nope; purely for connecting to the management network inside.

>> I verified my firewall rules and the client packets are being
>> passed to the internal interface, but a tcpdump shows only
>> repeated arp requests from the target IP asking for the location
>> of the client, with no answers provided.  As the target can't
>> find the client's location, no response traffic is forthcoming.
>> I feel that I've missed a simple option somewhere...
> 
> Your network should be routing the addresspool IP's to your VPN
> server.

I agree! :-) I'm used to the pluto updown script handling that,
though, both for site-to-site tunnels and L2TP roadwarrior tunnels.

I tried setting a couple of different routes manually but still didn't
get any packets flowing, for eg:

"ip r a [active addresspool IP] dev [defaultroute interface] scope
link src [internal IP]"

... but still no packets flowing.

I also tried switching the addresspool to a completely different
netblock from the internal one (I'm used to in effect extruding part
of the internal IP space with L2TP so started with the same
assumption) and added host routes for those, but still nothing.

>> I've also noticed that when the tunnel is first brought up, no
>> traffic to the client IP goes through until packets are first
>> received from the client.  eg, Bring up tunnel, try to ping
>> client from server; nothing.  Ping server from client; success.
>> Ping client from server again, success.
> 
> 
> That might be a client feature? Do you see encrypted packets
> leaving the network when this happens?

I'll check that.

> Support for multiple networks on the server side without using
> 0.0.0.0/0 is close to being supported but needs a little work
> still.

Okay; I can certainly live without that until it's implemented.


- -- 
Nels Lindquist
<nlindq at maei.ca>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlQA1rgACgkQh6z5POoOLgRiowCgkU8CVOvUaCS1mnrHt8L3fwnz
p9wAoL1Mv7aiNMfYnSpgQt/plrMsIMyO
=c9g3
-----END PGP SIGNATURE-----

More information about the Swan mailing list