[Swan] cannot get traffic to lan when using xauth and pool address is on lan segment
Paul Wouters
paul at nohats.ca
Wed Apr 12 19:49:45 UTC 2017
On Wed, 12 Apr 2017, Antonio Silva wrote:
>
> My current setup:
>
> --- eth0 (192.168.0.254/24)
> WAN --- router --- vlan 1 on eth0 (192.168.168.254/24)
>
>
>
> i set the ipsec conn with
> rightaddresspool=192.168.168.87-192.168.168.90, the connection is
> established and i get the ip 192.168.168.87 on my device.
> I then can connect to the server against the ip 192.168.168.254, so far
> good.
>
> But when try to connect to a lan device, like 192.168.168.249,i can't..
> in tcpdump in the router i see the lan device sending the arp request
> who as the 192.168.168.87, but no reply from the router, I've set the
> proxy arp on the interface as suggested on the wiki
> (https://libreswan.org/wiki/FAQ#Can_I_hand_out_LAN_IP_addresses_in_the_addresspool.3F),
> but no luck...
>
> net.ipv4.conf.eth0.proxy_arp=1
>
>
> From the router i can ping 192.168.168.87.
>
>
> Any suggestion on how to solve this? or this configuration is not ideal
> and i must defined a different pool for the vpn side?
That should work. Try running "ipsec verify" and check your systemctl
settings and firewall rules?
You might also need a passthrough conn
conn passthrough
left=192.168.0.254
right=%any
leftsubnet=192.168.0.0/24
rightsubnet=192.168.0.0/24
auto=route
authby=never
Paul
More information about the Swan
mailing list