[Swan] (no subject)

Paul Wouters paul at nohats.ca
Tue Dec 8 19:54:04 UTC 2015


On Mon, 7 Dec 2015, Fabian van der Werf wrote:

> Ok, I am trying to setup a tunnel between my home network and a virtual network of docker instances on a vps. I am running into some problems. The problem is that I cannot connect from
> docker instances on the VPS to my home network (the other way around works though)

> conn home
> left=37.97.133.227
> leftid=37.97.133.227
> leftsubnet=172.17.0.0/16
> leftsourceip=172.17.0.1
> 
> right=84.104.37.209
> rightid=84.104.37.209
> rightsubnet=192.168.178.0/24
> rightsourceip=192.168.178.1
> 
> authby=secret
> auto=start
> forceencaps=yes
> 
> Both the router and the VPS/libreswan say that the tunnel is set up successful.
> 
> So the current situation is that I am able to connect from my home network to the docker instances fine (e.g., a webservice). The problem is connections going in the other direction:
> from the docker instances to the home network. Below is my firewall configuration. But even with a disabled firewall I am unable to create connections from a docker instance to my home
> network.

[debug info]

That all looks fine.

> 000 Total IPsec connections: loaded 3, active 1
> 000  
> 000 State Information: DDoS cookies not required, Accepting new IKE connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
> 000 IPsec SAs: total(3), authenticated(3), anonymous(0)
> 000  
> 000 #10: "home":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 153s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate
> 000 #10: "home" esp.20141240 at 84.104.37.209 esp.def16332 at 37.97.133.227 tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=17KB! ESPmax=4194303B 
> 000 #11: "home":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1841s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #2: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 11008s; isakmp#1; idle; import:admin initiate
> 000 #2: "home" esp.dfec1580 at 84.104.37.209 esp.8dbc1b80 at 37.97.133.227 tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B 
> 000 #7: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 20902s; isakmp#6; idle; import:admin initiate
> 000 #7: "home" esp.b3937c0 at 84.104.37.209 esp.e938d2b6 at 37.97.133.227 tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B 

Why are there so many duplicate tunnels? You should have only one? Is
the tunnel continiously being re-setup ?

Can you run tcpdump on the docker host to get an idea of what's
happening to the packets? Are they leaking plaintext? Are they
encrypted but ignored?

Paul


More information about the Swan mailing list