[Swan] having trouble getting libreswan and gre to work together

[Paul Wouters]

On Tue, 22 Aug 2017, Jerry Scharf wrote:

> I hope this isn't in the archives, they are not up right now.

It should be up? When were they down?

> I am running on centos 7 and the repo version on libreswan. The system is 
> running a 4.9 kernel, other than that it's stock.
>
> The symptoms are as follow: I can ping back and forth from the left and right 
> machines to the 172.19.10.x/32 subnets. With tcpdump I see the esp packets go 
> back and forth. When I try to ping the far gre tunnel endpoint, I can see the 
> edp packets with tcpdump but a tcpdump of the gre tunnel on the far end, 
> nothing comes out. (I tried to do this at first with systemd-networkd setting 
> up the gre tunnel. When that didn't work, I went back to basics.) I have 
> iptables running, but it passes all traffic to/from 172.16.0.0/12.

Run "ipsec verify" ?

Ensure IP forwarding is enabled for the appropriate devices and/or
iptables rules?

Check rp_filter settings?

Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
NATed.

> here is my current config that gets included:
>
> # generated by ansible libreswan.j2
> conn cst_sgs_int
>    leftid=@cstborder1
>    left=e.f.g.h
>    leftsourceip=172.19.10.1
> #    leftprotoport=gre
>    rightid=@sgsborder2
>    right=a.b.c.d
>    rightsourceip=172.19.10.2
>    leftrsasigkey=...
>    rightrsasigkey=...
> #    rightprotoport=gre
>    authby=rsasig
>
> conn cst_sgs_intsubnet
>    also=cst_sgs_int
>    leftsubnet=172.19.10.1/32
>    rightsubnet=172.19.10.2/32
>    auto=start

A little strange to put subnet= and sourceip= in different conns,
but since the first one has no auto= line it is fine and ignored
and only the cst_sgs_intsubnet is started.

Paul