[Swan] having trouble getting libreswan and gre to work together
Jerry Scharf
jerry at soundhound.com
Mon Aug 28 21:59:01 UTC 2017
When I put https://lists.libreswan.org/pipermail/swan/ into my browser,
I get 403 forbidden back.
On 08/28/2017 02:36 PM, Jerry Scharf wrote:
> Paul,
>
> Thanks for responding. I copied this form from an explanation website. I
> realized after I posted it that because I was tunneling on top, I didn't
> need any of the subnet stuff.
>
> The problem turned out to be some subtle complexity of my situation and
> how iptables was being applied on the gre traffic. Once I got the right
> setting there, things worked fine.
>
> Sorry for the bother,
> jerry
>
> On 08/27/2017 07:46 PM, Paul Wouters wrote:
>> On Tue, 22 Aug 2017, Jerry Scharf wrote:
>>
>>> I hope this isn't in the archives, they are not up right now.
>>
>> It should be up? When were they down?
>>
>>> I am running on centos 7 and the repo version on libreswan. The
>>> system is running a 4.9 kernel, other than that it's stock.
>>>
>>> The symptoms are as follow: I can ping back and forth from the left
>>> and right machines to the 172.19.10.x/32 subnets. With tcpdump I see
>>> the esp packets go back and forth. When I try to ping the far gre
>>> tunnel endpoint, I can see the edp packets with tcpdump but a tcpdump
>>> of the gre tunnel on the far end, nothing comes out. (I tried to do
>>> this at first with systemd-networkd setting up the gre tunnel. When
>>> that didn't work, I went back to basics.) I have iptables running,
>>> but it passes all traffic to/from 172.16.0.0/12.
>>
>> Run "ipsec verify" ?
>>
>> Ensure IP forwarding is enabled for the appropriate devices and/or
>> iptables rules?
>>
>> Check rp_filter settings?
>>
>> Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
>> NATed.
>>
>>> here is my current config that gets included:
>>>
>>> # generated by ansible libreswan.j2
>>> conn cst_sgs_int
>>> leftid=@cstborder1
>>> left=e.f.g.h
>>> leftsourceip=172.19.10.1
>>> # leftprotoport=gre
>>> rightid=@sgsborder2
>>> right=a.b.c.d
>>> rightsourceip=172.19.10.2
>>> leftrsasigkey=...
>>> rightrsasigkey=...
>>> # rightprotoport=gre
>>> authby=rsasig
>>>
>>> conn cst_sgs_intsubnet
>>> also=cst_sgs_int
>>> leftsubnet=172.19.10.1/32
>>> rightsubnet=172.19.10.2/32
>>> auto=start
>>
>> A little strange to put subnet= and sourceip= in different conns,
>> but since the first one has no auto= line it is fine and ignored
>> and only the cst_sgs_intsubnet is started.
>>
>> Paul
>
--
Jerry Scharf, Soundhound DevOps
"What could possibly go wrong?"
More information about the Swan
mailing list