[Swan] Can't route back down ipsec tunnel from VPS

Michael Hicks nooneofconsequence at gmail.com
Fri Dec 5 17:51:19 EET 2014 

Darren,

Two things that may be affecting your tunnel traffic.

1) Is IP packet forwarding turned on?  

/sbin/sysctl net.ipv4.ip_forward
Make sure it shows 1

if not, run 
/sbin/sysctl -w net.ipv4.ip_forward=1

and if that fixes the problem, make it persistent in /etc/sysctl

2) even if your VPS is forwarding the packets out the interface, if the source IP they are coming from is not something that DO knows to route back to your VPS you will need to Nat Masquerade the VPN traffic to the ip address on your VPS with iptables so that its something DO can route back to you.

tcpdump is your friend


Mike

On Dec 5, 2014, at 12:31 AM, Darren Share <darren.share at chronos.co.uk> wrote:

> Thanks Paul, but I am using Digitial Ocean and the VPS has a public, static IP address on eth0.
> 
> ----------------------- Original Message -----------------------
>   
> From: Paul Wouters ??<paul at nohats.ca>
> To: Darren Share <darren.share at chronos.co.uk>
> Cc: "swan at lists.libreswan.org" <swan at lists.libreswan.org>
> Date: Thu, 4 Dec 2014 23:11:33 -0500 (EST)
> Subject: Re: [Swan] Can't route back down ipsec tunnel from VPS
>   
> On Thu, 4 Dec 2014, Darren Share wrote:
> 
> > Can you elaborate? The only use of "elastic IP" I'm aware of is regarding AWS, is that what you mean? I am using a VPS on DigitalOcean for this project if that helps.
> 
> Normally in AWS, you get a "static" elastic IP assigned. This public IP
> is NAT'ed to your virtual machine. But your virtual machine only has
> RFC1918 addresses configured on it. Because the AWS NAT router will
> NAT it to your static elastic IP.
> 
> Now when you do a VPN in tunnel mode, the packet you are sending
> needs to be "from" your public IP. But you don't have it configured
> on your virtual machine itself. So you cannot create a source packet
> with that IP. The usual solution is to configure it as an alias on
> the loopback or ethernet interface.
> 
> See: https://libreswan.org/wiki/Interoperability#Amazon_EC2
> 
> Paul
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20141205/d7c961f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4139 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20141205/d7c961f5/attachment.p7s>

More information about the Swan mailing list