[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Sun Jan 27 16:15:47 UTC 2019 

Hi,

> > The tunnel is built, but I cannot reach either side from the other. I
> > can ping wyckoff from orion but not vice-versa, and I cannot reach any
> > of the internal networks from either endpoint. I'd like to be able to
> > reach each endpoint from the other, as well as the private networks
> > from the alternate endpoints.
>
> Are you sure all tunnels came up? Look with "ipsec whack --trafficstatus"

Yes, the tunnels have come up, but it appears no data is passing through them:

# ipsec whack --trafficstatus
006 #6: "wyckofftun/1x1", type=ESP, add_time=1548605279, inBytes=0,
outBytes=0, id='@wyckoff'
006 #7: "wyckofftun/1x2", type=ESP, add_time=1548605279, inBytes=0,
outBytes=0, id='@wyckoff'

Should the endpoints be included in the left/rightsubnets= lines? I've
tried both ways. The above is without them.

> > Now that we've established it's really just a site-to-site VPN, it
> > seems the config would be very simple, but it's not working right. Can
> > I ask you to again review my config to identify what I'm missing?
> >
> > conn wyckofftun
> >        # VPN gateway with static IP (local)
> >        left=orion.example.com
> >        leftsubnets={192.168.1.0/24,68.195.193.40/29}
> >        leftid=@orion
> >        leftrsasigkey=0sAwEAAdAb4rdETczxNrLeBnheg2i...
> >        # dynamic IP (remote office)
> >        right=wyckoff.crabdance.com
> >        rightsubnets={192.168.11.0/24,192.168.10.0/24}
> >        rightrsasigkey=0sAwEAAdH7/d2i5iDV10K4ex1bc3fOg7JOS0M...
> >        rightid=@wyckoff
> >        auto=start
> >        rekey=no
>
> that looks right, but remove rekey=no because you can now rekey because
> there is no more %any
>
> > I'm not sure what other info I can provide. Here is ipsec barf:
> > https://drive.google.com/file/d/1Z2rC48dF_MoJ7YgRA4ugAnkBTP8nAvTe/view?usp=sharing
>
> all the tunnels seem to have come up, so likely this is now related to
> NAT or MASQUERADING rules. Or forwarding rules, or those nodes not
> having a gateway pointing to the VPN server for those remote subnets.

Does this output help? My config sure appears to follow the
subnet-to-subnet docs, but it doesn't appear to be passing traffic
through the tunnels.

# ip xfrm state
src 68.192.251.223 dst 68.195.193.42
        proto esp spi 0x43b69db0 reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0x6d0df70038270b683d16b5d86a91e5cdf9ba638441f778b98d3f0b0c7cf6cc39241fb636
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.195.193.42 dst 68.192.251.223
        proto esp spi 0xe942f86f reqid 16393 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0x8a982773fa9c478cb54eeeb827e0d71bfb654ccbf034fef9c1f427c35aea0ebb94d9c433
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.192.251.223 dst 68.195.193.42
        proto esp spi 0xb2c6d270 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0x2330847d661999a5d4d0952238bfd5b05a2451f060d312f2937fdc3e669a717c31f17636
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.195.193.42 dst 68.192.251.223
        proto esp spi 0x5dae9e10 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0xb6019d3447bd7561ee60a101914233408f4554f5847bc0f2247f069292f1f00fa693c027
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.192.251.223 dst 68.195.193.42
        proto esp spi 0xf6aa04f1 reqid 16393 mode tunnel
        replay-window 0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 68.192.251.223/32 dst 68.195.193.42/32

# ip xfrm policy
src 192.168.1.0/24 dst 192.168.10.0/24
        dir out priority 1042407 ptype main
        tmpl src 68.195.193.42 dst 68.192.251.223
                proto esp reqid 16393 mode tunnel
src 192.168.10.0/24 dst 192.168.1.0/24
        dir fwd priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.195.193.42
                proto esp reqid 16393 mode tunnel
src 192.168.10.0/24 dst 192.168.1.0/24
        dir in priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.195.193.42
                proto esp reqid 16393 mode tunnel
src 192.168.1.0/24 dst 192.168.11.0/24
        dir out priority 1042407 ptype main
        tmpl src 68.195.193.42 dst 68.192.251.223
                proto esp reqid 16389 mode tunnel
src 192.168.11.0/24 dst 192.168.1.0/24
        dir fwd priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.195.193.42
                proto esp reqid 16389 mode tunnel
src 192.168.11.0/24 dst 192.168.1.0/24
        dir in priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.195.193.42
                proto esp reqid 16389 mode tunnel

More information about the Swan mailing list