[Swan] having trouble getting libreswan and gre to work together

Jerry Scharf jerry at soundhound.com
Mon Aug 28 21:59:01 UTC 2017 

When I put https://lists.libreswan.org/pipermail/swan/ into my browser, 
I get 403 forbidden back.

On 08/28/2017 02:36 PM, Jerry Scharf wrote:
> Paul,
> 
> Thanks for responding. I copied this form from an explanation website. I 
> realized after I posted it that because I was tunneling on top, I didn't 
> need any of the subnet stuff.
> 
> The problem turned out to be some subtle complexity of my situation and 
> how iptables was being applied on the gre traffic. Once I got the right 
> setting there, things worked fine.
> 
> Sorry for the bother,
> jerry
> 
> On 08/27/2017 07:46 PM, Paul Wouters wrote:
>> On Tue, 22 Aug 2017, Jerry Scharf wrote:
>>
>>> I hope this isn't in the archives, they are not up right now.
>>
>> It should be up? When were they down?
>>
>>> I am running on centos 7 and the repo version on libreswan. The 
>>> system is running a 4.9 kernel, other than that it's stock.
>>>
>>> The symptoms are as follow: I can ping back and forth from the left 
>>> and right machines to the 172.19.10.x/32 subnets. With tcpdump I see 
>>> the esp packets go back and forth. When I try to ping the far gre 
>>> tunnel endpoint, I can see the edp packets with tcpdump but a tcpdump 
>>> of the gre tunnel on the far end, nothing comes out. (I tried to do 
>>> this at first with systemd-networkd setting up the gre tunnel. When 
>>> that didn't work, I went back to basics.) I have iptables running, 
>>> but it passes all traffic to/from 172.16.0.0/12.
>>
>> Run "ipsec verify" ?
>>
>> Ensure IP forwarding is enabled for the appropriate devices and/or
>> iptables rules?
>>
>> Check rp_filter settings?
>>
>> Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
>> NATed.
>>
>>> here is my current config that gets included:
>>>
>>> # generated by ansible libreswan.j2
>>> conn cst_sgs_int
>>>    leftid=@cstborder1
>>>    left=e.f.g.h
>>>    leftsourceip=172.19.10.1
>>> #    leftprotoport=gre
>>>    rightid=@sgsborder2
>>>    right=a.b.c.d
>>>    rightsourceip=172.19.10.2
>>>    leftrsasigkey=...
>>>    rightrsasigkey=...
>>> #    rightprotoport=gre
>>>    authby=rsasig
>>>
>>> conn cst_sgs_intsubnet
>>>    also=cst_sgs_int
>>>    leftsubnet=172.19.10.1/32
>>>    rightsubnet=172.19.10.2/32
>>>    auto=start
>>
>> A little strange to put subnet= and sourceip= in different conns,
>> but since the first one has no auto= line it is fine and ignored
>> and only the cst_sgs_intsubnet is started.
>>
>> Paul
> 

-- 
Jerry Scharf, Soundhound DevOps
"What could possibly go wrong?"

More information about the Swan mailing list