[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Sun Jan 27 18:28:50 UTC 2019

On Sun, 27 Jan 2019, Alex wrote:

> Yes, the tunnels have come up, but it appears no data is passing through them:
> # ipsec whack --trafficstatus
> 006 #6: "wyckofftun/1x1", type=ESP, add_time=1548605279, inBytes=0,
> outBytes=0, id='@wyckoff'
> 006 #7: "wyckofftun/1x2", type=ESP, add_time=1548605279, inBytes=0,
> outBytes=0, id='@wyckoff'
> Should the endpoints be included in the left/rightsubnets= lines? I've
> tried both ways. The above is without them.

The issue to be aware of is that for source ip, the linux kernel picks
the "nearest IP". So for a net-to-net scenario, it usualy means the
kernel picks the public instead of the private IP on the gateway itself.

If you need to be able to reach the subnets behind the far gateway from
the local gateway, the best is to get the routing done properly on
the local gateway (and visa versa). The updown script can do this for
simple conns, using sourceip=, but for more complicated scenarios
you might need to do something yourself. You have some options:

1) if the gateways have a private IP in only one network range of the
    many ones it is routing for, you can split that one net-to-net into
    its own conn section, and use leftsourceip= / rightsourceip=
2) customize _updown.netkey to add the routes (with src argument)
3) pre-install the proper routes (with src argument)

But it could also be that routes are fine, but your NAT or MASQUERADE
is modifying packets before the IPsec layer picks up the packets for

Also check /proc/net/xfrm_stats for non-zero values, which usually
indicate a problem

Also check if your machine has forwarding enabled via sysctl or

Check dmesg for martian messages

Verify you have disabled rp_filter

Use ping -I with source address to confirm the tunnel independant of
the routing you have.


More information about the Swan mailing list