[Swan] Traffic not being routed into the tunnel

Paul Wouters paul at nohats.ca
Thu Sep 18 19:18:13 EEST 2014 

On Thu, 18 Sep 2014, Igor Jovanovic wrote:

> We have host-to-subnet PSK setup with tunnel up and running - with main issue being that the traffic is not being routed into the tunnel.
> 
> Our lan (eth3): 192.168.100.0/24
> Our encryption domain 192.18.0.0/24
> Our public IP (eth1): x.x.194.130/30
> Public nexthop(eth1): x.x.194.129/30
> Our ED IP (eth1:1): 192.18.0.1/24
> Other end IP: y.y.34.140
> Other end subnet: 6.0.0.0/8
> 
> VPN Setup:
> 
> config setup
>         klipsdebug=all

klips is not used on rhel, so this option doesn't do anything for you as
you use netkey.

>         plutodebug=all

That's suually reserved for finding programming errors, not
configuration errors :)

>         protostack=netkey
>         nat_traversal=no
>         virtual_private=
>         oe=off
> 
> conn vic-bsc-1
>         forceencaps=yes

You cannot have  nat_traversal=no and forceencaps=yes? One disallows NAT
encapsulation and the other forces it. I'm not sure what you are trying
to do here.

>         dpddelay=30 
>         dpdtimeout=120  
>         dpdaction=restart_by_peer 
>         ike=aes256-sha1;modp1024!

Remove the "!" as openswan always does "strict mode". Note that modp1024
is pretty weak, much weaker than aes256. which means you are not getting
the full value out of aes256 strength. If possible bump it to modp1536
at least.

>         phase2alg=aes256-sha1
>         ikelifetime=86400s 
>         authby=secret 
>         type=tunnel 
>         salifetime=3600s 
>         pfs=no 
>         aggrmode=yes 
>         left=x.x.194.130
>         leftnexthop=x.x.194.129
>         leftsubnet=198.18.0.0/24
>         right=y.y.34.140
>         rightnexthop=x.x.194.129
>         auto=start
>         rightsubnet=6.0.0.0/8
> 
> NAT Rule:
> iptables -t nat -I POSTROUTING 1 -s 0/0 -d 6.0.0.0/8 -o eth1 -j SNAT --to-source 192.18.0.1

I see 198.18 and 192.18? Is that a censoring typo or an actual
configuration mistake?

Are you trying to NAT everything that is supposed to go through the
tunnel to 6/8 to a single IP? If so, why are you building a
198.18.0.0/24 and not a 192.18.0.1/32 ?

> Route:
> ip route add 6.0.0.0/8 src 192.18.0.1 via x.x.194.129 dev eth1

I think what you really want is to use 192.18.0.1 on the gateway so you
can talk to the 6/8 network. You should add:

 	leftsourceip=192.18.0.1

This will add a route to your system so your gateway talks to 6/8 via
192.18.0.1 instead of its public ip address.

You should NOT have a NAT rule for 6/8. But if that server is going to
need to do NAT itself for 198.18.0.0/24 to 0.0.0.0/0 (eg not to 6/8) than
you need:

 	iptables -t nat -I POSTROUTING -s 198.18.0.0/24 -d 6.0.0.0/8 -j RETURN

This will skip IPsec traffic from getting NATed. The end result would be
direct reachability for 198.18.0.0/24 <-> 6.0.0.0/8 and for all other
traffic with source 198.18.0.0/24 you would NAT it into the internet.

Paul

More information about the Swan mailing list