[Swan] ipsec SA's up, no traffic routed?

Frank frank at dio.demon.nl
Tue May 10 18:25:08 UTC 2016


Hi,

The ping still gives the same:
ping -I 192.168.1.2 192.168.211.2
PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data.
From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable


iptables rules (simplified for now):

iptables -L -n -v
Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes)
 pkts bytes target     prot opt in     out     source               destination
   62  2988 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2200

Chain FORWARD (policy ACCEPT 576K packets, 34M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2331K  270M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2044K  127M ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  154 12936 ACCEPT     all  --  eth4   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth4   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  720 60480 ACCEPT     all  --  eth1   eth4    0.0.0.0/0            0.0.0.0/0
  247 12844 ACCEPT     all  --  eth2   eth4    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes)
 pkts bytes target     prot opt in     out     source               destination


iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1744 packets, 310K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes)
 pkts bytes target     prot opt in     out     source               destination
   54  3843 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  690 56556 MASQUERADE  all  --  *      eth4    0.0.0.0/0            0.0.0.0/0


arp -an:
? (zzz.zzz.13.34) at <incomplete> on eth4
? (192.168.211.12) at <incomplete> on eth4
? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2
? (192.168.211.2) at <incomplete> on eth4
? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1
? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4
? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4

tcpdump -v -n -i eth4 not port 22 | grep -v VRRP :
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28


Rgds,

Frank.



> On 10 May 2016, at 17:45, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Tue, 10 May 2016, Frank wrote:
> 
>> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
>> SA's seem up.
>> 
>> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>> 
>> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
> 
>> 
>> ping 192.168.211.2
>> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
> 
> Oddly this used your public ip as source, instead of the one you
> specified with leftsourceip=192.168.1.2
> 
> does ping -I 192.168.1.2 192.168.211.2  work?
> 
>> ip route:
>> default via xxx.xxx.39.78 dev eth4
>> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
>> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
>> 192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
>> 192.168.211.0/24 dev eth4  scope link  src 192.168.1.2
> 
> It's there, so why is ping using the wrong source ip?
> 
> Paul



More information about the Swan mailing list