[Swan] Traffic not routing down tunnel

Phil Daws uxbod at splatnix.net
Sun Jan 18 11:39:27 EET 2015


I have tried with 10.1.10.1 on the left and 10.2.10.1 on the right but still the same issue. What ever source IP I use it still achieves the same result.  As I have a VPN terminating within the gateway if I try and connect to a remote node on the 10.2.10.0/24 network I see the traffic arrive on the VPN interface:

09:34:44.716178 IP 172.16.10.2.63788 > 10.2.10.10.22: Flags [S], seq 915452653, win 65535, options [mss 1368,nop,wscale 0,nop,nop,sackOK], length 0

and it is being routed to the correct interface as per the routing table:

10.2.0.0/16 dev eth0  scope link  src 10.1.10.1

but then it hits eth0 without being sent down the tunnel by the looks of it ?

09:12:31.908884 IP 37.XXX.XXX.XXX.63332 > 10.2.10.10.22: Flags [S], seq 1092218068, win 65535, options [mss 1368,nop,wscale 0,nop,nop,sackOK], length 0
09:12:34.918210 IP 37.XXX.XXX.XXX.63332 > 10.2.10.10.22: Flags [S], seq 1092218068, win 65535, options [mss 1368,nop,wscale 0,nop,nop,sackOK], length 0

surely something must be fundamentally wrong with the configuration ? :(

Thanks, Phil


----- Original Message -----
From: "Nick Howitt" <nick at howitts.co.uk>
To: "Phil Daws" <uxbod at splatnix.net>
Cc: swan at lists.libreswan.org
Sent: Saturday, 17 January, 2015 16:58:14
Subject: Re: [Swan] Traffic not routing down tunnel

You can only have one left/rightsourceip, so which one did you pick? 

I would guess there is no way of routing packets from the other two lan interface IP's but you'll need someone better than me to confirm it. I wonder if you could SNAT the other LAN interface IP's to the one you chose? 

On 17/01/2015 16:27, Phil Daws wrote: 



No joy :( its probably compounded by the setup in my lab as-well. Let me break it down: 

Left Side: 

eth0: 37.XXX.XXX.XXX
eth1: 10.1.8.1/24
eth2: 10.1.10.1/24
eth3: 10.1.14.1/24

Right Side:

eth0: 88.XXX.XXX.XXX
eth1: 10.2.8.1/24
eth2: 10.2.10.1/24
eth3: 10.2.14.1/24

have just been able to connect from an address on 10.2.10.10 too 10.1.8.200 so the tunnel is alive but routing must be mangled viz. if I try and connect too 10.1.8.1 it just sits there ?!?! and that should work as my VPN does connect to that IP.  This is without the left/right source ip.

Getting closer, to understand this, and hopefully working :)

Thank, Phil

----- Original Message -----
From: "Nick Howitt" <nick at howitts.co.uk> To: "Phil Daws" <uxbod at splatnix.net> Cc: swan at lists.libreswan.org Sent: Saturday, 17 January, 2015 16:09:50
Subject: Re: [Swan] Traffic not routing down tunnel

hmm. 

I use "-j ACCEPT" rather than return in my rule: 

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT 

This would otherwise achieve the same. I'm not sure I've seen RETURN before in rules for ipsec. Can you try changing? 

Nick 

On 17/01/2015 15:12, Phil Daws wrote: 



Hello Nick:

have added the left and right source ip's to be:

leftsourceip=10.1.10.1
rightsourceip=10.2.10.1

and for my iptables on POSTROUTING:

-I POSTROUTING -s 10.1.0.0/16 -d 10.2.0.0/16 -j RETURN  # Left Side
-I POSTROUTING -s 10.2.0.0/16 -d 10.1.0.0/16 -j RETURN  # Right Side

then tried testing with:

ping -c 4 -I 10.1.10.1 10.2.10.1

but still no response and no drops logged :(

Thanks, Phil

----- Original Message -----
From: "Nick Howitt" <nick at howitts.co.uk> To: "Phil Daws" <uxbod at splatnix.net> , swan at lists.libreswan.org Sent: Saturday, 17 January, 2015 15:07:05
Subject: Re: [Swan] Traffic not routing down tunnel

With that config you will not be able to ping to or from either gateway through the VPN but you should be able to ping from LAN to LAN. To ping to or from a gateway, please add left/rightsourceip as your gateway's LAN IP. 

Also have you set any firewall rules for the tunnel? 

Nick 

On 17/01/2015 14:44, Phil Daws wrote: 



Hello:

Have defined a tunnel that is connecting okay but no traffic appears to be directed down it.  On each side I have:

conn ipsec
        type=tunnel
        authby=secret
        connaddrfamily=ipv4
        left=37.XXX.XXX.XXX
        leftsubnet=10.1.0.0/16
        right=88.XXX.XXX.XXX
        rightsubnet=10.2.0.0/16
        esp=3des-md5-96
        keyexchange=ike
        pfs=yes
        auto=start

ipsec auto --status shows:

000 Total IPsec connections: loaded 1, active 1

and ip xfrm policy:

src 10.1.0.0/16 dst 10.2.0.0/16
        dir out priority 2608 ptype main
        tmpl src 37.XXX.XXX.XXX dst 88.XXX.XXX.XXX
                proto esp reqid 16385 mode tunnel
src 10.2.0.0/16 dst 10.1.0.0/16
        dir fwd priority 2608 ptype main
        tmpl src 88.XXX.XXX.XXX dst 37.XXX.XXX.XXX
                proto esp reqid 16385 mode tunnel
src 10.2.0.0/16 dst 10.1.0.0/16
        dir in priority 2608 ptype main
        tmpl src 88.XXX.XXX.XXX dst 37.XXX.XXX.XXX
                proto esp reqid 16385 mode tunnel

so to an untrained eye all looks okay so as confused why its not working :(

Appreciate any help please.

Thanks. Phil

(null)
(null)
_______________________________________________
Swan mailing list Swan at lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan (null)
(null) 




(null)
(null) 



(null)
(null)


More information about the Swan mailing list