[Swan] Somehow the ip addresses are changing in the vpn tunnel
Brian Foddy
brian at fodvo.org
Wed May 9 03:04:51 UTC 2018
I reviewed and ultimately disabled the mangle tables, no help there.
(they were setting up QOS rules).
the ipsec verify did show some issues like rp_filter was active, but
forcing it off had no effect once I corrected them.
One more behavior I've noticed, when the tunnels are active, I cannot
access the remote host via the pubic ip address (ssh or ping). I can
only get to it through a third host not part of the tunnel. If I
totally tear down the tunnel and stop pluto, then I can communicate to
the remote host via the public IP address.
I've pretty carefully reviewed the rest of the firewall rules, so far,
nothing seems to help.
I even tried setting ESP=NULL-MD5, in hopes of sniffing the unencrypted
packets outbound to see if I can determine which host might be at fault,
so far I cannot even narrow it down to which host, though my gut tells
me the south host from the pings I can trace.
I'll may have to take a break for a couple days, but I'll be back and if
someone has more hints of how to debug this please forward them.
Brian
On 05/08/2018 10:59 AM, Paul Wouters wrote:
> On Mon, 7 May 2018, Brian Foddy wrote:
>
>> Tunnels come up , ipsec status left shows;
>> 000 Total IPsec connections: loaded 2, active 2
>
>> But nothing is actually working, no pings, no ssh anything between
>> the 2 sites.
>> I've done some tcpdumps (tcpdump -nni enp1s0f1 icmp)
>
> Check forwarding and NAT rules? Run "ipsec verify" to see if there are
> other issues, like rp_filter.
>
>> But at the same time the left tcpdump is showing:
>> tcpdump -nni ppp0 icmp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size
>> 262144 bytes
>> 22:10:05.698183 IP 8.0.1.10 > 10.20.0.66: ICMP echo request, id
>> 11456, seq 902, length 64
>> 22:10:06.348152 IP 8.0.1.10 > 10.20.0.66: ICMP echo reply, id 7793,
>> seq 107, length 64
>>
>> Notice the IP address have changed from 10.20.1.10 to 8.0.1.10 when
>> packets are arriving back.
>
> I would at the nat and mangle tables and see if anything is being done
> there.
>
>> The firewalls are both running shorewall and I believe the
>> configurations are correct, but can include those files is needed.
>
> Tuomo might be able to say more on that.
>
> Paul
More information about the Swan
mailing list