[Swan] (no subject)

Fabian van der Werf fvanderwerf at gmail.com
Wed Dec 9 10:07:00 UTC 2015


On Tue, Dec 8, 2015 at 8:54 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 7 Dec 2015, Fabian van der Werf wrote:
>
>> Ok, I am trying to setup a tunnel between my home network and a virtual
>> network of docker instances on a vps. I am running into some problems. The
>> problem is that I cannot connect from
>> docker instances on the VPS to my home network (the other way around works
>> though)
>
>
>> conn home
>> left=37.97.133.227
>> leftid=37.97.133.227
>> leftsubnet=172.17.0.0/16
>> leftsourceip=172.17.0.1
>>
>> right=84.104.37.209
>> rightid=84.104.37.209
>> rightsubnet=192.168.178.0/24
>> rightsourceip=192.168.178.1
>>
>> authby=secret
>> auto=start
>> forceencaps=yes
>>
>> Both the router and the VPS/libreswan say that the tunnel is set up
>> successful.
>>
>> So the current situation is that I am able to connect from my home network
>> to the docker instances fine (e.g., a webservice). The problem is
>> connections going in the other direction:
>> from the docker instances to the home network. Below is my firewall
>> configuration. But even with a disabled firewall I am unable to create
>> connections from a docker instance to my home
>> network.
>
>
> [debug info]
>
> That all looks fine.
>
>> 000 Total IPsec connections: loaded 3, active 1
>> 000
>> 000 State Information: DDoS cookies not required, Accepting new IKE
>> connections
>> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1),
>> anonymous(0)
>> 000 IPsec SAs: total(3), authenticated(3), anonymous(0)
>> 000
>> 000 #10: "home":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 153s; newest IPSEC; eroute owner; isakmp#9; idle;
>> import:admin initiate
>> 000 #10: "home" esp.20141240 at 84.104.37.209 esp.def16332 at 37.97.133.227
>> tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic:
>> ESPout=0B ESPin=17KB! ESPmax=4194303B
>> 000 #11: "home":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 1841s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
>> import:admin initiate
>> 000 #2: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 11008s; isakmp#1; idle; import:admin initiate
>> 000 #2: "home" esp.dfec1580 at 84.104.37.209 esp.8dbc1b80 at 37.97.133.227
>> tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic:
>> ESPout=0B ESPin=0B! ESPmax=4194303B
>> 000 #7: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 20902s; isakmp#6; idle; import:admin initiate
>> 000 #7: "home" esp.b3937c0 at 84.104.37.209 esp.e938d2b6 at 37.97.133.227
>> tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761 Traffic:
>> ESPout=0B ESPin=0B! ESPmax=4194303B
>
>
> Why are there so many duplicate tunnels? You should have only one? Is
> the tunnel continiously being re-setup ?

I have only one tunnel configured. Maybe this is caused by me playing
with settings and reinitializing stuff over and over. I checked my
router's log, I don't see the tunnel being reinitialized continuously.

This is the list after a night idling:
000 #18: "home":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1654s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #13: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 14357s; newest IPSEC; eroute owner; isakmp#12;
idle; import:admin initiate
000 #13: "home" esp.c7274d41 at 84.104.37.209 esp.6ab2f5d0 at 37.97.133.227
tun.0 at 84.104.37.209 tun.0 at 37.97.133.227 ref=0 refhim=4294901761
Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B

> Can you run tcpdump on the docker host to get an idea of what's
> happening to the packets? Are they leaking plaintext? Are they
> encrypted but ignored?

With tcpdump I see packets going into the tunnel:

root at 37-97-133-227 ~]# tcpdump ip proto 50 &
[1] 28937
[root at 37-97-133-227 ~]# tcpdump: verbose output suppressed, use -v or
-vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
09:51:13.945703 IP 37-97-133-227.colo.transip.net >
546825D1.cm-12-1a.dynamic.ziggo.nl: ESP(spi=0xc7274d41,seq=0x8),
length 132
09:51:14.945339 IP 37-97-133-227.colo.transip.net >
546825D1.cm-12-1a.dynamic.ziggo.nl: ESP(spi=0xc7274d41,seq=0x9),
length 132
...

Trying to connect to the router's web interface with netcat fails with
a timeout.

I don't see any unencrypted packets if I filter on tcpdump host
192.168.178.1. Not sure, if I should see them. Looks like as if my
router is not handling these incoming packets? I don't see any dropped
packets in my router log for the internal or external ip of the docker
server

Thanks for your help

Fabian


More information about the Swan mailing list