[Swan] Somehow the ip addresses are changing in the vpn tunnel
Brian Foddy
brian at fodvo.org
Tue May 8 03:24:54 UTC 2018
Using the Wiki Host-to-host and subnet-to-subnet vpn.
My two gateway hosts are running
Left: Fedora 27 (libreswan 3.23-1)
Right: Centos 7.4 (libreswan 3.20-5)
My 2 config files are:
Left & Right identical files
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn mysubnet
also=mytunnel
leftsubnet=10.20.0.0/24
leftsourceip=10.20.0.1
rightsubnet=10.20.1.0/24
rightsourceip=10.20.1.1
conn mytunnel
leftid=@north
left=209.180.19.125
leftrsasigkey=0sAwEAAd...beWau7c=
rightid=@south
right=208.126.137.239
rightrsasigkey=0sAw...rFkWJUsz3vT
authby=rsasig
auto=add
Tunnels come up , ipsec status left shows;
000 Total IPsec connections: loaded 2, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000
000 #6: "mysubnet":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27694s; isakmp#5; idle; import:not set
000 #6: "mysubnet" esp.4971e59c at 208.126.137.239
esp.97e13d9 at 209.180.19.125 tun.0 at 208.126.137.239 tun.0 at 209.180.19.125
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000 #7: "mysubnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27003s; newest IPSEC; eroute owner; isakmp#5; idle;
import:admin initiate
000 #7: "mysubnet" esp.dd56ae7c at 208.126.137.239
esp.a1c7a94d at 209.180.19.125 tun.0 at 208.126.137.239 tun.0 at 209.180.19.125
ref=0 refhim=0 Traffic: ESPin=52KB ESPout=6KB! ESPmax=4194303B
000 #5: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2494s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #8: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26947s; newest IPSEC; eroute owner; isakmp#5; idle;
import:admin initiate
000 #8: "mytunnel" esp.9af5681e at 208.126.137.239
esp.ca6e9852 at 209.180.19.125 tun.0 at 208.126.137.239 tun.0 at 209.180.19.125
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000
000 Bare Shunt list:
000
And right is similar:
000 Total IPsec connections: loaded 4, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000
000 #11: "mysubnet":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27618s; newest IPSEC; eroute owner; isakmp#9; idle;
import:admin initiate
000 #11: "mysubnet" esp.a1c7a94d at 209.180.19.125
esp.dd56ae7c at 208.126.137.239 tun.0 at 209.180.19.125 tun.0 at 208.126.137.239
ref=0 refhim=0 Traffic: ESPin=6KB ESPout=59KB! ESPmax=4194303B
000 #10: "mysubnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26916s; isakmp#9; idle; import:admin initiate
000 #10: "mysubnet" esp.97e13d9 at 209.180.19.125
esp.4971e59c at 208.126.137.239 tun.0 at 209.180.19.125 tun.0 at 208.126.137.239
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000 #9: "mysubnet":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1925s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #12: "mytunnel":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27623s; newest IPSEC; eroute owner; isakmp#9; idle;
import:admin initiate
000 #12: "mytunnel" esp.ca6e9852 at 209.180.19.125
esp.9af5681e at 208.126.137.239 tun.0 at 209.180.19.125 tun.0 at 208.126.137.239
ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B
000
But nothing is actually working, no pings, no ssh anything between the 2
sites.
I've done some tcpdumps (tcpdump -nni enp1s0f1 icmp)
pinging from 10.20.0.66 (behind left) to 10.20.1.10 (behind right)
yields something very strange:
The right tcpdump shows:
2:08:22.898118 IP 10.20.0.66 > 10.20.1.10: ICMP echo request, id 7793,
seq 6, length 64
22:08:22.898285 IP 10.20.1.10 > 10.20.0.66: ICMP echo reply, id 7793,
seq 6, length 64
like you would expect. So packets are getting from the left to the
right correctly, and are being sent back to the left.
But at the same time the left tcpdump is showing:
tcpdump -nni ppp0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size
262144 bytes
22:10:05.698183 IP 8.0.1.10 > 10.20.0.66: ICMP echo request, id 11456,
seq 902, length 64
22:10:06.348152 IP 8.0.1.10 > 10.20.0.66: ICMP echo reply, id 7793, seq
107, length 64
Notice the IP address have changed from 10.20.1.10 to 8.0.1.10 when
packets are arriving back.
Similar results occur with every ping combination of host and gateway pings.
What could be changing the IP addresses?
More details of the 2 connections.
Left is a dsl connection that uses pppoe running on the left host.
Right is a direct fiber connection with no pppoe or anything.
My ifconfigs are
Left
ifconfig
enp2s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a236:9fff:fe83:5e60 prefixlen 64 scopeid 0x20<link>
ether a0:36:9f:83:5e:60 txqueuelen 1000 (Ethernet)
RX packets 81767715 bytes 38091700150 (35.4 GiB)
RX errors 0 dropped 240655 overruns 0 frame 0
TX packets 64270846 bytes 7531472566 (7.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfea80000-feafffff
enp2s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether a0:36:9f:83:5e:61 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfe900000-fe97ffff
enp2s0f2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether a0:36:9f:83:5e:62 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfe880000-fe8fffff
enp2s0f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.0.1 netmask 255.255.255.0 broadcast 10.20.0.255
inet6 fe80::a236:9fff:fe83:5e63 prefixlen 64 scopeid 0x20<link>
ether a0:36:9f:83:5e:63 txqueuelen 1000 (Ethernet)
RX packets 49789371 bytes 5314457511 (4.9 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 115234136 bytes 118993419302 (110.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xfe800000-fe87ffff
enp2s0f3:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.64.1 netmask 255.255.255.0 broadcast 10.20.64.255
ether a0:36:9f:83:5e:63 txqueuelen 1000 (Ethernet)
device memory 0xfe800000-fe87ffff
enp3s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6c:62:6d:52:f6:1e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2769253 bytes 82672447634 (76.9 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2769253 bytes 82672447634 (76.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 209.180.19.125 netmask 255.255.255.255 destination
207.109.2.20
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 69690051 bytes 26269295527 (24.4 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 56286680 bytes 5288269919 (4.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
10.20.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp2s0f3
10.20.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
10.20.64.0 0.0.0.0 255.255.255.0 U 100 0 0 enp2s0f3
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp2s0f0
stpl-dsl-gw20.s 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
Right:
np1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 208.126.137.239 netmask 255.255.255.0 broadcast
208.126.137.255
inet6 fe80::215:17ff:fe6d:35fe prefixlen 64 scopeid 0x20<link>
ether 00:15:17:6d:35:fe txqueuelen 1000 (Ethernet)
RX packets 18577652 bytes 2551903161 (2.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31662614 bytes 47358291682 (44.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 29 memory 0xfea80000-feaa0000
enp1s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.1.1 netmask 255.255.255.255 broadcast 10.20.1.1
inet6 fe80::215:17ff:fe6d:35ff prefixlen 64 scopeid 0x20<link>
ether 00:15:17:6d:35:ff txqueuelen 1000 (Ethernet)
RX packets 31923827 bytes 47457739354 (44.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18693201 bytes 2137620503 (1.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 33 memory 0xfea20000-fea40000
enp1s0f1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.128.1 netmask 255.255.255.255 broadcast 10.20.128.1
ether 00:15:17:6d:35:ff txqueuelen 1000 (Ethernet)
device interrupt 33 memory 0xfea20000-fea40000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 987 bytes 151163 (147.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 987 bytes 151163 (147.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:a7:ad:4b txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default gateway 0.0.0.0 UG 0 0 0
enp1s0f0
10.20.0.0 gateway 255.255.255.0 UG 0 0 0
enp1s0f0
10.20.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0f1
10.20.128.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0f1
link-local 0.0.0.0 255.255.0.0 U 0 0 0 enp1s0f1
link-local 0.0.0.0 255.255.0.0 U 1003 0 0 enp1s0f0
link-local 0.0.0.0 255.255.0.0 U 1004 0 0 enp1s0f1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
208.126.137.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0f0
The firewalls are both running shorewall and I believe the
configurations are correct, but can include those files is needed.
I've been working on this for a couple days, and nothing seems to make
sense.
Thanks,
Brian
More information about the Swan
mailing list