[Swan] Somehow the ip addresses are changing in the vpn tunnel

Brian Foddy brian at fodvo.org
Wed May 9 03:04:51 UTC 2018 

I reviewed and ultimately disabled the mangle tables, no help there. 
(they were setting up QOS rules).

the ipsec verify did show some issues like rp_filter was active, but 
forcing it off had no effect once I corrected them.

One more behavior I've noticed, when the tunnels are active, I cannot 
access the remote host via the pubic ip address (ssh or ping).  I can 
only get to it through a third host not part of the tunnel.  If I 
totally tear down the tunnel and stop pluto, then I can communicate to 
the remote host via the public IP address.

I've pretty carefully reviewed the rest of the firewall rules, so far, 
nothing seems to help.

I even tried setting ESP=NULL-MD5, in hopes of sniffing the unencrypted 
packets outbound to see if I can determine which host might be at fault, 
so far I cannot even narrow it down to which host, though my gut tells 
me the south host from the pings I can trace.


I'll may have to take a break for a couple days, but I'll be back and if 
someone has more hints of how to debug this please forward them.


Brian


On 05/08/2018 10:59 AM, Paul Wouters wrote:
> On Mon, 7 May 2018, Brian Foddy wrote:
>
>> Tunnels come up , ipsec status left shows;
>> 000 Total IPsec connections: loaded 2, active 2
>
>> But nothing is actually working, no pings, no ssh anything between 
>> the 2 sites.
>> I've done some tcpdumps (tcpdump -nni enp1s0f1 icmp)
>
> Check forwarding and NAT rules? Run "ipsec verify" to see if there are
> other issues, like rp_filter.
>
>> But at the same time the left tcpdump is showing:
>> tcpdump -nni ppp0 icmp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
>> decode
>> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 
>> 262144 bytes
>> 22:10:05.698183 IP 8.0.1.10 > 10.20.0.66: ICMP echo request, id 
>> 11456, seq 902, length 64
>> 22:10:06.348152 IP 8.0.1.10 > 10.20.0.66: ICMP echo reply, id 7793, 
>> seq 107, length 64
>>
>> Notice the IP address have changed from 10.20.1.10 to 8.0.1.10 when 
>> packets are arriving back.
>
> I would at the nat and mangle tables and see if anything is being done
> there.
>
>> The firewalls are both running shorewall and I believe the 
>> configurations are correct, but can include those files is needed.
>
> Tuomo might be able to say more on that.
>
> Paul

More information about the Swan mailing list