[Swan] LibreSwan not accepting port 9001 but accepts 5000?

Madden, Joe Joe.Madden at mottmac.com
Thu Jul 13 12:32:45 UTC 2017 

Figured out what it was - It was not the IPsec config.

A misconfigured NAT rule was catching the traffic in Iptables and changing the source address of this specific port!

Thanks for the help.

Joe.
-----Original Message-----
From: Swan [mailto:swan-bounces at lists.libreswan.org] On Behalf Of Madden, Joe
Sent: 13 July 2017 08:43
To: Lennart Sorensen <lsorense at csclub.uwaterloo.ca>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] LibreSwan not accepting port 9001 but accepts 5000?

[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]

Hi Lennart,

The source IP of the IPsec would be 1.1.1.1 (Its obviously not really this I just wanted to hide my Ext IP). The source traffic to go over the IPsec VPN would be 192.168.70.1:xxxxx to 10.190.22.0/24:9001

That doesn't work - But traffic from 10.190.22.0/24:xxxxx to 192.168.70.1:5000 does work.

It's pretty odd - I'll try leftsourceip=1.1.1.1 but I'm not sure it's going to fix the issue.

I don't have a router for 10.190.22.0/24 - It expects just to use default route - I'll add one too to see if that makes a difference.

If you have any other ideas let me know.

Joe.


-----Original Message-----
From: Lennart Sorensen [mailto:lsorense at csclub.uwaterloo.ca]
Sent: 12 July 2017 20:41
To: Madden, Joe <Joe.Madden at mottmac.com>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] LibreSwan not accepting port 9001 but accepts 5000?

On Wed, Jul 12, 2017 at 03:57:37PM +0000, Madden, Joe wrote:
> Hi List,
>
>
> I have an issue with a Libreswan instance where It appears to be port selective over what traffic goes across the VPN.
>
>
>     authby=             secret
>     auto=               start
>     type=               tunnel
>     nat_traversal=      yes
>     forceencaps=        no
>     rekeymargin=        3m
>     keyingtries=        %forever
>     keylife=            1h
>     ikelifetime=        24h
>     ikev2=              insist
>
>     left=               1.1.1.1
>     leftsubnet=         192.168.70.1/32

If this is the internal IP of the ipsec endpoint, then you probably have to explicitly set the route source IP for the tunnel so that it doesn't just use the default route and hence default IP when sending packets.
I suspect the working devices on the right side are all behind the ipsec endpoint, and not on it.

Try adding 'leftsourceip=192.168.70.1'

>     leftid=             1.1.1.1
>
>     right=              2.2.2.2
>     rightid=            2.2.2.2
>     rightsubnet=        10.190.22.0/24
>     #Phase 1
>     ike=                aes256-sha2_256;modp2048
>     #Phase 2
>     phase2=             esp
>     phase2alg=          aes256-sha2_256;modp2048
>     #Other Encryption Settings
>     pfs=                yes
>     sha2_truncbug=      no
>     #Dead Peer Detection
>     dpdaction=  restart
>
>
> Port 5000,5001,5002 will go across the VPN fine (Source from Right
> Side)
>
> But port 9001 (Source from Left Side) is not captured into the VPN and as a result attempts to go out to the internet and fails.
>
>
> Communication on port 5001/5002/5000 is successful.
>
> Does anyone have any ideas of what could be causing this issue?

--
Len Sorensen
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list