[Swan] Traffic not routing down tunnel

Paul Wouters paul at nohats.ca
Sun Jan 18 00:37:32 EET 2015


On Sat, 17 Jan 2015, Phil Daws wrote:

> No joy :( its probably compounded by the setup in my lab as-well. Let me break it down:
>
> Left Side:
>
> eth0: 37.XXX.XXX.XXX
> eth1: 10.1.8.1/24
> eth2: 10.1.10.1/24
> eth3: 10.1.14.1/24
>
> Right Side:
>
> eth0: 88.XXX.XXX.XXX
> eth1: 10.2.8.1/24
> eth2: 10.2.10.1/24
> eth3: 10.2.14.1/24
>
> have just been able to connect from an address on 10.2.10.10 too 10.1.8.200 so the tunnel is alive but routing must be mangled viz. if I try and connect too 10.1.8.1 it just sits there ?!?! and that should work as my VPN does connect to that IP.  This is without the left/right source ip.
>
> Getting closer, to understand this, and hopefully working :)

If you want the left server (itself) to be able to reach the right subnets, and
the right server (itself) to be able to reach the left subnets, you have
to ensure that the server's inner IP is used for communicating to those
remote subnets.

so if using

 	leftsubnets=10.1.8.0/24,10.1.10.0/24,10.1.14.0/24
 	rightsubnets=10.2.8.0/24,10.2.10.0/24,10.2.14.0/24

then adding

 	leftsourceip=10.1.8.1
 	rightsourceip=10.2.8.1

should do the trick.

However, you could also use your public IP as an additional subnet:

 	leftsubnets=10.1.8.0/24,10.1.10.0/24,10.1.14.0/24,37.XXX.XXX.XXX/32
 	rightsubnets=10.2.8.0/24,10.2.10.0/24,10.2.14.0/24,88.XXX.XXX.XXX/32

Then you will have explicit IPsec tunnels from your public IP to your
LANs. Less useful if you are dynamic IP. It also means your firewal
rules on the hosts might need to allow those public IPs to private LANs,
whereas with the first trick, your gateway will use a LAN IP so you dont
have to have any firewall rules related to its public IP.


You probably also want a rule along the lines of:

iptables -I POSTROUTING -t nat -d 10/8 -j RETURN

to exclude all subnet tunnel traffic from getting NAT'ed.
(you can add -s 10/8 if not building tunnels with the public IP)

Various ways to shoot yourself in the foot are warned against in "ipsec
verify".

Paul


More information about the Swan mailing list