[Swan] having trouble getting libreswan and gre to work together
Jerry Scharf
jerry at soundhound.com
Mon Aug 28 21:36:55 UTC 2017
Paul,
Thanks for responding. I copied this form from an explanation website. I
realized after I posted it that because I was tunneling on top, I didn't
need any of the subnet stuff.
The problem turned out to be some subtle complexity of my situation and
how iptables was being applied on the gre traffic. Once I got the right
setting there, things worked fine.
Sorry for the bother,
jerry
On 08/27/2017 07:46 PM, Paul Wouters wrote:
> On Tue, 22 Aug 2017, Jerry Scharf wrote:
>
>> I hope this isn't in the archives, they are not up right now.
>
> It should be up? When were they down?
>
>> I am running on centos 7 and the repo version on libreswan. The system
>> is running a 4.9 kernel, other than that it's stock.
>>
>> The symptoms are as follow: I can ping back and forth from the left
>> and right machines to the 172.19.10.x/32 subnets. With tcpdump I see
>> the esp packets go back and forth. When I try to ping the far gre
>> tunnel endpoint, I can see the edp packets with tcpdump but a tcpdump
>> of the gre tunnel on the far end, nothing comes out. (I tried to do
>> this at first with systemd-networkd setting up the gre tunnel. When
>> that didn't work, I went back to basics.) I have iptables running, but
>> it passes all traffic to/from 172.16.0.0/12.
>
> Run "ipsec verify" ?
>
> Ensure IP forwarding is enabled for the appropriate devices and/or
> iptables rules?
>
> Check rp_filter settings?
>
> Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
> NATed.
>
>> here is my current config that gets included:
>>
>> # generated by ansible libreswan.j2
>> conn cst_sgs_int
>> leftid=@cstborder1
>> left=e.f.g.h
>> leftsourceip=172.19.10.1
>> # leftprotoport=gre
>> rightid=@sgsborder2
>> right=a.b.c.d
>> rightsourceip=172.19.10.2
>> leftrsasigkey=...
>> rightrsasigkey=...
>> # rightprotoport=gre
>> authby=rsasig
>>
>> conn cst_sgs_intsubnet
>> also=cst_sgs_int
>> leftsubnet=172.19.10.1/32
>> rightsubnet=172.19.10.2/32
>> auto=start
>
> A little strange to put subnet= and sourceip= in different conns,
> but since the first one has no auto= line it is fine and ignored
> and only the cst_sgs_intsubnet is started.
>
> Paul
--
Jerry Scharf, Soundhound DevOps
"What could possibly go wrong?"
More information about the Swan
mailing list