[Swan] Can't route back down ipsec tunnel from VPS

Darren Share darren.share at chronos.co.uk
Thu Dec 4 20:49:42 EET 2014 

Hi Nick

Thanks for the reply. I was originally using right=%any but changed it in an attempt to get it to work. I've changed it to tunnel mode and have now got it working. The biggest blocker was the leftprotoport= and rightprotoport= settings. Removing them actually achieved what I'm trying to do. I do have another problem now though but before I get into that, I'm curious about your question about l2tp. What makes you think I am using l2tp? I didn't think I was but I don't know libreswan (or any of the various *swans) very well and used the aforementioned script because I needed a quick and dirty VPN setting up. 

Thanks. 

Darren.

> On 4 Dec 2014, at 18:25, Nick Howitt <nick at howitts.co.uk> wrote:
> 
> Why are you using l2tp and not just plain IPsec? Also why are you using transport mode? Which Draytek are you using? I am not sure if they support transport mode. I don't think my 2820 and 2710 do.
> 
> Shouldn't right be the public IP of the Draytek or %any if the Draytek has a dynamic IP? rightsubnet then (possibly) becomes 10.111.1.0/24.
> 
> Do you have the ipsec logs from libreswan
> 
> Nick
> 
> 
>> On 03/12/2014 16:16, Darren Share wrote:
>> Hi there.
>> 
>> FYI, I have also posted this on Server Fault. I am trying to establish an ipsec VPN from a Draytek router on the edge of our corporate network to a VPS on Digital Ocean. I've set up the VPN on the VPS using this script - https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn - on an Ubuntu 14.04 machine. I believe the script downloads and installs libreswan and prompts for a few basic configuration questions etc. I've made a few changes to the ipsec.conf the script creates. My problem is, I can ping from           the router to the VPS and I can see the packets arriving on the VPS showing as coming from the private IP address of the router, but nothing I've tried has allowed me to route packets back down the tunnel to the router. Therefore, from the router's pov it appears the pings are timing out.
>> 
>> The router is connected directly to the internet on one of its interfaces and it is configured with a local IP address of 10.111.1.1. The VPS has a single interface connected directly to the internet.
>> 
>> When the VPN is established this is the routing table on the VPS:
>> 
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
>> default         178.62.64.1     0.0.0.0         UG        0 0          0 eth0
>> 10.111.1.1      *               255.255.255.255 UH        0 0          0 eth0
>> 178.62.64.0     *               255.255.192.0   U         0 0          0 eth0
>> 
>> Note the second entry is created when the VPN is established.
>> 
>> If I try to ping 10.111.1.1 I get:
>> 
>> PING 10.111.1.1 (10.111.1.1) 56(84) bytes of data.
>> From <public IP address - eth0> icmp_seq=1 Destination Host Unreachable
>> 
>> Here is the output from ipsec verify:
>> 
>> Verifying installed system and configuration files
>> 
>> Version check and ipsec on-path                         [OK]
>> Libreswan 3.10 (netkey) on 3.13.0-37-generic
>> Checking for IPsec support in kernel                    [OK]
>> NETKEY: Testing XFRM related proc values
>>         ICMP default/send_redirects                    [OK]
>>         ICMP default/accept_redirects                  [OK]
>>         XFRM larval drop                               [OK]
>> Pluto ipsec.conf syntax                                 [OK]
>> Hardware random device                                  [N/A]
>> Two or more interfaces found, checking IP forwarding    [OK]
>> Checking rp_filter                                      [OK]
>> Checking that pluto is running                          [OK]
>> Pluto listening for IKE on udp 500                     [OK]
>> Pluto listening for IKE/NAT-T on udp 4500              [OK]
>> Pluto ipsec.secret syntax                              [OK]
>> Checking 'ip' command                                   [OK]
>> Checking 'iptables' command                             [OK]
>> Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options             [OK]
>> Opportunistic Encryption                                [DISABLED]
>> 
>> and here is the content of /etc/ipsec.conf (the commented out lines are results of previous experimentation with the same results) - essentially, nothing I change seems to make any difference:
>> 
>> version 2.0
>> 
>> config setup
>>  dumpdir=/var/run/pluto/
>>  nat_traversal=yes
>>  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
>>  oe=off
>>  protostack=netkey
>>  nhelpers=0
>>  interfaces=%defaultroute
>> 
>> conn vpnpsk
>>  connaddrfamily=ipv4
>>  auto=add
>>  left=178.62.73.215
>> #  leftid=178.62.73.215
>> #  leftsubnet=178.62.73.215/32
>>  leftsubnet=10.10.10.0/24
>> #  leftnexthop=%defaultroute
>>  leftnexthop=%direct
>>  leftprotoport=17/1701
>>  rightprotoport=17/%any
>> #  right=%any
>>  right=10.111.1.0/24
>>  rightsourceip=10.111.1.1
>>  leftsourceip=10.10.10.1
>> #  rightsubnetwithin=0.0.0.0/0
>>  forceencaps=yes
>>  authby=secret
>>  pfs=no
>>  type=transport
>>  auth=esp
>>  ike=3des-sha1,aes-sha1
>>  phase2alg=3des-sha1,aes-sha1
>>  rekey=no
>>  keyingtries=5
>>  dpddelay=30
>>  dpdtimeout=120
>>  dpdaction=clear
>> 
>> This is the relevant part of the routing table from the router:
>> 
>> Key: C - connected, S - static, R - RIP, * - default, ~ - private
>> *            0.0.0.0/ 0.0.0.0          via <public IP address>   WAN2
>> S~        10.10.10.0/ 255.255.255.0    via 178.62.73.215   VPN-10
>> C~        10.111.1.0/ 255.255.255.0    directly connected    LAN 
>> C    <public IP address>/ 255.255.255.224  directly connected    WAN2
>> 
>> Would appreciate someone pointing out what I'm doing wrong.
>> 
>> Many thanks.
>> 
>> 
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>> 
>> 
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20141204/6ffc4882/attachment-0001.html>

More information about the Swan mailing list