[Swan] roadwarrior connects but no data
Paul Wouters
paul at nohats.ca
Thu Oct 4 14:50:05 UTC 2018
On Thu, 4 Oct 2018, Johannes C. Schulz wrote:
> Hello LibreSwan community!It was a long way to get my libreswan connecting to a vpn-server (which is actually a dsl-router from bintec). The server accepts IPsec IKEv1
> connection with PSK. I can connect, but there is no traffic through the tunnel.
> The problem must be on roadwarriors-side, because I can connect and transfer data through the tunnel if I connect with a windows machine to the vpn-server (using
> ShrewSoft).
>
> I wrote this config:
>
> config setup
> protostack = netkey
>
> conn Office1
> authby = secret
> right = some.domain.tld
> rightid = @Office_admin
> rightnexthop = %defaultroute
> left = 192.168.42.91
> leftsubnet = 192.168.92.0/24
> leftvti = 192.168.92.234/24
> leftid = @Office
> keyexchange = ike
> ike = aes256-sha2;modp2048
> esp = aes256-sha2;modp2048
> ikelifetime = 4h
> keylife = 8h
> auto = add
> aggrmode = yes
> vti-interface = vti0
> vti-routing = yes
> mark = 5/0xffffffff
Try adding sha2_truncbug=yes and see if that fixes your issue. The
router might be doing "broken linux compatibility" mode by default.
> netstat -r -n
> Kernel-IP-Routentabelle
> Ziel Router Genmask Flags MSS Fenster irtt Iface
> 0.0.0.0 192.168.42.129 0.0.0.0 UG 0 0 0 enp0s12u2
> xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH 0 0 0 vti0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s12u2
> 192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s12u2
> 192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0 vti0
What does "ip route" say. It is important to see if you got the proper
route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's IP ?
> ping 192.168.92.10
> PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
> From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
Is this in the remote end? because you defined that to be on your end?
Paul
More information about the Swan
mailing list