[Swan] cannot get traffic to lan when using xauth and pool address is on lan segment
Antonio Silva
asilva at wirelessmundi.com
Mon Apr 17 11:23:40 UTC 2017
Hi,
Thanks for the reply.
: ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.20 (netkey) on 4.9.20
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
I try to set a passthrough connection, but i must set it wrong.. because
i lost connection to the server on 192.168.0.254...
i try i simpler configuration without vlans:
1) WAN --- router --- eth0 LAN 192.168.0.0/24, server with ip
192.168.10.1, xauth pool 192.168.10.20-25, connection ok but cannot
connect to lan lan devices, connection ok to 192.168.10.1, from the
server i can ping the ip assign by ipsec, from lan, the same behavior,
the arp request arrives to the server, but no reply.
2) WAN --- router --- eth0 LAN 192.168.0.0/24, server with ip
192.168.10.1, and 192.168.20.1/24, xauth pool 192.168.20.20-25,
connection ok to lan devices and server on both 192.168.10.1 and
192.168.20.1.
I check sysctl and don't see any thing wrong, as for firewall rules
nothing is set, input, output, forward is accepting everything.
Also, i don't see any difference (a part from the ip address range) in
the xfrm policies installed.
Correcting if i'm wrong, but digging a litle more, there won't be any
mac associated with the ip/vpn client, so there is no arp entry in the
server, even with proxy-arp enabled the lan devices will never be able
to reach the vpn client.. because not arp will be found in the server.
So i always have to set a different network, like in the 2) setup, no?
Regard,
António
Saludos / Regards / Cumprimentos,
António silva
On 04/12/2017 09:49 PM, Paul Wouters wrote:
> On Wed, 12 Apr 2017, Antonio Silva wrote:
>
>>
>> My current setup:
>>
>> --- eth0 (192.168.0.254/24)
>> WAN --- router --- vlan 1 on eth0 (192.168.168.254/24)
>>
>>
>>
>> i set the ipsec conn with
>> rightaddresspool=192.168.168.87-192.168.168.90, the connection is
>> established and i get the ip 192.168.168.87 on my device.
>> I then can connect to the server against the ip 192.168.168.254, so
>> far good.
>>
>> But when try to connect to a lan device, like 192.168.168.249,i
>> can't.. in tcpdump in the router i see the lan device sending the arp
>> request who as the 192.168.168.87, but no reply from the router, I've
>> set the proxy arp on the interface as suggested on the wiki
>> (https://libreswan.org/wiki/FAQ#Can_I_hand_out_LAN_IP_addresses_in_the_addresspool.3F),
>> but no luck...
>>
>> net.ipv4.conf.eth0.proxy_arp=1
>>
>>
>> From the router i can ping 192.168.168.87.
>>
>>
>> Any suggestion on how to solve this? or this configuration is not
>> ideal and i must defined a different pool for the vpn side?
>
> That should work. Try running "ipsec verify" and check your systemctl
> settings and firewall rules?
>
> You might also need a passthrough conn
>
> conn passthrough
> left=192.168.0.254
> right=%any
> leftsubnet=192.168.0.0/24
> rightsubnet=192.168.0.0/24
> auto=route
> authby=never
>
> Paul
More information about the Swan
mailing list