[Swan] Divergent results for whether a subnet is pingable from server and behind it
Paul Wouters
paul at nohats.ca
Sat Oct 13 23:05:48 UTC 2018
On Fri, 12 Oct 2018, Whit Blauvelt wrote:
> I remember with FreeSWAN years back when there needed to be a separate
> connection to be able to ping from the server itself as compared to systems
> behind it. That's not the current case. But I'm trying to understand this
> with Libreswan:
>
> These subnets are all routed out the same connection:
>
> 172.16.11.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.12.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.13.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.14.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.15.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.31.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
> 172.16.32.0/24 via 123.23.123.23 dev enp2s0f1 src 172.17.10.3
>
> They're all listed in the array of rightsubnets in a conn section of
> ipsec.conf.
Do all of thes also include 172.17.10.3 as left or within their
leftsubnet ?
> There's a system pingable at .1 of each of those at the other end. All of
> those .1s can be pinged from behind the server. But from the server itself
> currently 172.16.11.1 and 172.16.15.1 cannot. This is not always the case.
> Sometimes they all can be pinged from the server. But it's how it is now,
> consistently at present.
I've seen situations where if the traffic was once initiated on the
remote server to your libreswan's subnet, it would from then on work. I
think those are related to proxyarp or some statefull firewall that
allows RELATED traffic but related traffic can only happen from the one
site back to libreswan and not the other way around due to the iptables
rules involved/
Paul
More information about the Swan
mailing list