[Swan] cannot get traffic to lan when using xauth and pool address is on lan segment
Antonio Silva
asilva at wirelessmundi.com
Tue Apr 18 15:14:34 UTC 2017
Sorry, i reply to soon... actually the only option that work was
leftupdown="ipsec _updown.netkey --route yes" .
the leftsourceip work because of route caching because of previous test
with leftupdown command, but after rebooting the server with this option
set no traffic to lan addresses.
Saludos / Regards / Cumprimentos,
António silva
On 04/18/2017 04:05 PM, Antonio Silva wrote:
> Hi Tuomo,
>
> Thanks for the tip, both options, separated, solve my problem!!! i end
> up using leftsourceip, i use leftupdown script to monitor the
> connection established.
>
> we could add this extra info to the wiki :)
>
> https://libreswan.org/wiki/FAQ#Can_I_hand_out_LAN_IP_addresses_in_the_addresspool.3F
>
>
>
> Saludos / Regards / Cumprimentos,
> António silva
>
> On 04/18/2017 10:02 AM, Tuomo Soini wrote:
>> On Mon, 17 Apr 2017 19:04:54 +0200
>> Antonio Silva <asilva at wirelessmundi.com> wrote:
>>
>>> ok, so there is something i'm doing badly...
>>>
>>> after ping the ip assign to the client i print the arp entires and
>>> for the ip address in question there is no arp entry, and it suppose
>>> to be with mac address of the server...
>>>
>>> # ping 192.168.10.206
>>> PING 192.168.10.206 (192.168.10.206) 56(84) bytes of data.
>>> 64 bytes from 192.168.10.206: icmp_seq=1 ttl=64 time=509 ms
>>> 64 bytes from 192.168.10.206: icmp_seq=2 ttl=64 time=72.0 ms
>>>
>>>
>>> # arp | grep 192.168.10.206
>> Proxy arp doesn't work for pure ipsec. You need to add forced routing
>> to clients because proxyarp only works if there is host route to client.
>>
>> leftupdown="ipsec _updown.netkey --route yes"
>>
>> Or use leftsourceip=<gateway-lan-ip>.
>>
>
More information about the Swan
mailing list