[Swan] Traffic not being routed into the tunnel
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Sep 18 19:37:12 EEST 2014
On Thu, Sep 18, 2014 at 05:43:17PM +0200, Igor Jovanovic wrote:
> Hello,
>
> We have host-to-subnet PSK setup with tunnel up and running - with main
> issue being that the traffic is not being routed into the tunnel.
>
> Our lan (eth3): 192.168.100.0/24
> Our encryption domain 192.18.0.0/24
> Our public IP (eth1): x.x.194.130/30
> Public nexthop(eth1): x.x.194.129/30
> Our ED IP (eth1:1): 192.18.0.1/24
> Other end IP: y.y.34.140
> Other end subnet: 6.0.0.0/8
>
> VPN Setup:
>
> config setup
> klipsdebug=all
> plutodebug=all
> protostack=netkey
> nat_traversal=no
> virtual_private=
> oe=off
>
> conn vic-bsc-1
> forceencaps=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart_by_peer
> ike=aes256-sha1;modp1024!
> phase2alg=aes256-sha1
> ikelifetime=86400s
> authby=secret
> type=tunnel
> salifetime=3600s
> pfs=no
> aggrmode=yes
> left=x.x.194.130
> leftnexthop=x.x.194.129
> leftsubnet=198.18.0.0/24
> right=y.y.34.140
> rightnexthop=x.x.194.129
> auto=start
> rightsubnet=6.0.0.0/8
>
> NAT Rule:
> iptables -t nat -I POSTROUTING 1 -s 0/0 -d 6.0.0.0/8 -o eth1 -j SNAT
> --to-source 192.18.0.1
>
> Route:
> ip route add 6.0.0.0/8 src 192.18.0.1 via x.x.194.129 dev eth1
>
> Please advise, we are missing something big here!
The tunnel will only allow traffic between 6.0.0.0/8 and 198.18.0.0/24
If you apply nat, then the traffic is no longer valid and will not go
through your tunnel.
I suggest you try to get your ipsec working first, then worry about
firewalling afterwards.
And if it is using netkey, you will have to make sure your firewall
allows traffic of type ipsec (not ipv4) from the other side to come in.
--
Len Sorensen
More information about the Swan
mailing list