[Swan] ipsec SA's up, no traffic routed?

Frank frank at dio.demon.nl
Tue May 10 20:37:12 UTC 2016 

Hi,

That worked, thanks a bunch Nick!

Next up: the cisco w. sourcenat,

rgds,

Frank.

> On 10 May 2016, at 20:30, Nick Howitt <nick at howitts.co.uk> wrote:
> 
> Try:
> iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> Nick
> 
> 
> On 10/05/2016 19:25, Frank wrote:
>> Hi,
>> 
>> The ping still gives the same:
>> ping -I 192.168.1.2 192.168.211.2
>> PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data.
>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>> From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
>> From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
>> From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable
>> 
>> 
>> iptables rules (simplified for now):
>> 
>> iptables -L -n -v
>> Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>    62  2988 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
>>     0     0 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2200
>> 
>> Chain FORWARD (policy ACCEPT 576K packets, 34M bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>> 2331K  270M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>> 2044K  127M ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>   154 12936 ACCEPT     all  --  eth4   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>     0     0 ACCEPT     all  --  eth4   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>   720 60480 ACCEPT     all  --  eth1   eth4    0.0.0.0/0            0.0.0.0/0
>>   247 12844 ACCEPT     all  --  eth2   eth4    0.0.0.0/0            0.0.0.0/0
>> 
>> Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 
>> 
>> iptables -t nat -L -n -v
>> Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 
>> Chain INPUT (policy ACCEPT 1744 packets, 310K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 
>> Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 
>> Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>    54  3843 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
>>   690 56556 MASQUERADE  all  --  *      eth4    0.0.0.0/0            0.0.0.0/0
>> 
>> 
>> arp -an:
>> ? (zzz.zzz.13.34) at <incomplete> on eth4
>> ? (192.168.211.12) at <incomplete> on eth4
>> ? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2
>> ? (192.168.211.2) at <incomplete> on eth4
>> ? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1
>> ? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4
>> ? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4
>> 
>> tcpdump -v -n -i eth4 not port 22 | grep -v VRRP :
>> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>> 20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>> 20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>> 20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>> 20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>> 
>> 
>> Rgds,
>> 
>> Frank.
>> 
>> 
>> 
>>> On 10 May 2016, at 17:45, Paul Wouters <paul at nohats.ca> <mailto:paul at nohats.ca> wrote:
>>> 
>>> On Tue, 10 May 2016, Frank wrote:
>>> 
>>>> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
>>>> SA's seem up.
>>>> 
>>>> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>>>> 
>>>> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
>>>> ping 192.168.211.2
>>>> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
>>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>>> Oddly this used your public ip as source, instead of the one you
>>> specified with leftsourceip=192.168.1.2
>>> 
>>> does ping -I 192.168.1.2 192.168.211.2  work?
>>> 
>>>> ip route:
>>>> default via xxx.xxx.39.78 dev eth4
>>>> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
>>>> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
>>>> 192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
>>>> 192.168.211.0/24 dev eth4  scope link  src 192.168.1.2
>>> It's there, so why is ping using the wrong source ip?
>>> 
>>> Paul
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>> https://lists.libreswan.org/mailman/listinfo/swan <https://lists.libreswan.org/mailman/listinfo/swan>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160510/1f89ddc0/attachment-0001.html>

More information about the Swan mailing list