[Swan] xauth+modecfg and arp issues

[Erik Andersson]

Hi all,

I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.

Trying to connect clients via xauth and modecfg where the address pool 
for clients is a subset of the network "behind the ipsec gateway".

Using the following configuration:

conn remote
     auto=start
     authby=secret
     right=10.48.28.81
     left=%any
     rightsubnet=192.168.110.0/24
     connaddrfamily=ipv4
     pfs=yes
     nat-keepalive=yes
     encapsulation=auto
     dpddelay="30"
     dpdtimeout="120"
     dpdaction=clear
     rightmodecfgserver=yes
     leftmodecfgclient=yes
     modecfgpull=yes
     leftaddresspool=192.168.110.220-192.168.110.254
     modecfgdns=10.48.254.21
     modecfgdomains=example.com
     rightxauthserver=yes
     leftxauthclient=yes
     xauthby=file
     rekey=no

The clients connect fine, and I can see a "proxy arp" entry added by the 
updown.netkey script (the ens4 interface is connected to the 
192.168.110.0/24 segment):

? (192.168.110.220) at <from_interface> PERM PUB on ens4

However, when a try to ping a server (192.168.110.20) on the subnet 
192.168.110.0/24 from the client 192.168.110.220 (assigned via modecfg) 
the "ipsec gateway host" doesn't respond to the ARP requests for 
192.168.110.220:

# tcpdump -ni ens4
19:59:44.048591 IP 192.168.110.220 > 192.168.110.20: ICMP echo request, 
id 1, seq 225, length 40
19:59:44.049202 ARP, Request who-has 192.168.110.220 tell 
192.168.110.20, length 28
19:59:45.063811 ARP, Request who-has 192.168.110.220 tell 
192.168.110.20, length 28
19:59:46.087923 ARP, Request who-has 192.168.110.220 tell 
192.168.110.20, length 28

Anyone knows what's going on here? It works fine when I try with KLIPS.

Thanks,

Erik