[Swan] Traffic not being routed into the tunnel

Igor Jovanovic skipper.net at gmail.com
Thu Sep 18 20:21:25 EEST 2014 

Thanks Lennart, it was the NAT issue after all...

-Igor

On Thu, Sep 18, 2014 at 6:37 PM, Lennart Sorensen <
lsorense at csclub.uwaterloo.ca> wrote:

> On Thu, Sep 18, 2014 at 05:43:17PM +0200, Igor Jovanovic wrote:
> > Hello,
> >
> > We have host-to-subnet PSK setup with tunnel up and running - with main
> > issue being that the traffic is not being routed into the tunnel.
> >
> > Our lan (eth3): 192.168.100.0/24
> > Our encryption domain 192.18.0.0/24
> > Our public IP (eth1): x.x.194.130/30
> > Public nexthop(eth1): x.x.194.129/30
> > Our ED IP (eth1:1): 192.18.0.1/24
> > Other end IP: y.y.34.140
> > Other end subnet: 6.0.0.0/8
> >
> > VPN Setup:
> >
> > config setup
> >         klipsdebug=all
> >         plutodebug=all
> >         protostack=netkey
> >         nat_traversal=no
> >         virtual_private=
> >         oe=off
> >
> > conn vic-bsc-1
> >         forceencaps=yes
> >         dpddelay=30
> >         dpdtimeout=120
> >         dpdaction=restart_by_peer
> >         ike=aes256-sha1;modp1024!
> >         phase2alg=aes256-sha1
> >         ikelifetime=86400s
> >         authby=secret
> >         type=tunnel
> >         salifetime=3600s
> >         pfs=no
> >         aggrmode=yes
> >         left=x.x.194.130
> >         leftnexthop=x.x.194.129
> >         leftsubnet=198.18.0.0/24
> >         right=y.y.34.140
> >         rightnexthop=x.x.194.129
> >         auto=start
> >         rightsubnet=6.0.0.0/8
> >
> > NAT Rule:
> > iptables -t nat -I POSTROUTING 1 -s 0/0 -d 6.0.0.0/8 -o eth1 -j SNAT
> > --to-source 192.18.0.1
> >
> > Route:
> > ip route add 6.0.0.0/8 src 192.18.0.1 via x.x.194.129 dev eth1
> >
> > Please advise, we are missing something big here!
>
> The tunnel will only allow traffic between 6.0.0.0/8 and 198.18.0.0/24
> If you apply nat, then the traffic is no longer valid and will not go
> through your tunnel.
>
> I suggest you try to get your ipsec working first, then worry about
> firewalling afterwards.
>
> And if it is using netkey, you will have to make sure your firewall
> allows traffic of type ipsec (not ipv4) from the other side to come in.
>
> --
> Len Sorensen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140918/08ade2c8/attachment.html>

More information about the Swan mailing list