[Swan] xauth+modecfg and arp issues
Erik Andersson
erik at ingate.com
Wed May 2 18:08:59 UTC 2018
Hi all,
I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.
Trying to connect clients via xauth and modecfg where the address pool
for clients is a subset of the network "behind the ipsec gateway".
Using the following configuration:
conn remote
auto=start
authby=secret
right=10.48.28.81
left=%any
rightsubnet=192.168.110.0/24
connaddrfamily=ipv4
pfs=yes
nat-keepalive=yes
encapsulation=auto
dpddelay="30"
dpdtimeout="120"
dpdaction=clear
rightmodecfgserver=yes
leftmodecfgclient=yes
modecfgpull=yes
leftaddresspool=192.168.110.220-192.168.110.254
modecfgdns=10.48.254.21
modecfgdomains=example.com
rightxauthserver=yes
leftxauthclient=yes
xauthby=file
rekey=no
The clients connect fine, and I can see a "proxy arp" entry added by the
updown.netkey script (the ens4 interface is connected to the
192.168.110.0/24 segment):
? (192.168.110.220) at <from_interface> PERM PUB on ens4
However, when a try to ping a server (192.168.110.20) on the subnet
192.168.110.0/24 from the client 192.168.110.220 (assigned via modecfg)
the "ipsec gateway host" doesn't respond to the ARP requests for
192.168.110.220:
# tcpdump -ni ens4
19:59:44.048591 IP 192.168.110.220 > 192.168.110.20: ICMP echo request,
id 1, seq 225, length 40
19:59:44.049202 ARP, Request who-has 192.168.110.220 tell
192.168.110.20, length 28
19:59:45.063811 ARP, Request who-has 192.168.110.220 tell
192.168.110.20, length 28
19:59:46.087923 ARP, Request who-has 192.168.110.220 tell
192.168.110.20, length 28
Anyone knows what's going on here? It works fine when I try with KLIPS.
Thanks,
Erik
More information about the Swan
mailing list