[Swan] one way ping
John Crisp
jcrisp at safeandsoundit.co.uk
Fri Jul 20 09:36:40 UTC 2018
On 20/07/18 09:51, Roberto Suárez Soto wrote:
> El 20/07/18 a las 01:43, John Crisp escribió:
>> However, once up I can only ping from the Libre end -> Endian.
>>
>> Once a ping has been sent, magically I can ping from the Endian back to
>> Libre
>
> I've seen this happen when the firewall at one end ("Libre", in this
> case) doesn't allow incoming IPSec connections, or maybe just ESP
> traffic (or, if encapsulated, 4500/udp). It doesn't work when initiating
> the connection (i.e., ping) from the other side, but when you do it from
> the Libre side, the replies get into the "related" state and are
> allowed. If this is the case, you may see the dropped packets in Libre's
> logs.
>
> My 2¢, anyway.
>
Thanks !
I was checking in the cold hard light of day after a decent nights sleep
and noticed there is one significant difference I had missed.
The working versions are Proxmox VMs with virtual ethernet adaptors
using a virtio_net driver on both the 'real' outside interface and the
'dummy' internal one. That puts the machine in server-gateway mode so
the firewalling works etc etc
But the two non working machines have a ethernet dummy adaptor set up on
the 'internal' interface and that has no driver.
I have reason to suspect that this may be the cause of my problems.
I'll post back once I test a bit more
B. Rgds
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180720/dd1c1903/attachment.sig>
More information about the Swan
mailing list