[Swan] converting to use NAT traversal
Alex
mysqlstudent at gmail.com
Thu Jan 9 00:40:24 UTC 2020
Hi,
Okay, I thought it was working, and maybe it was, but something
changed and now it's not working. The day after I thought I had it
working, I had a hard disk failure and had to completely reinstall and
rescue the config from the failed hard disk..I'm just confused and
hoped someone could review to determine if there's still a problem.
I need to be able to reach 192.168.1.1 from the 192.168.11.0 network.
I believe the problem is that connections from the 192.168.11.0
network on "wyckoff" to the 192.168.1.1 host on "orion" are not being
forwarded through the VPN. I can trace the packets as far as the
internal interface of the "wyckoff" router on 192.168.11.1, but they
appear to stop there.
It appears that all four tunnels are up and running, however. I can
ping orion from wyckoff but can't ping orion from any of the hosts on
either of the internal networks (192.168.11.0 and 192.168.10.0). I
also have shorewall involved, but it's also the same configuration
that worked previously. This is obviously very frustrating, so
hopefully someone has some ideas of what I might be doing wrong.
The network looks like this:
wyckoff:
96.56.24.210 - public IP (static)
10.201.2.2 - external interface on enp4s0. This IP gets NATed by the
gateway router on premises outside of my control.
192.168.11.0 and 192.168.10.0 - internal networks on interface used
for IP phones and laptops
Both ports 4500 and 500 UDP are being port forwarded on the public IP
to the 10.201.2.2 IP.
orion:
68.195.193.42 - public IP on external interface (static)
192.168.1.1 - internal network with asterisk for phones on this
network and wyckoff networks
Below is the config for each system.
wyckoff:
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=start
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightsubnets={192.168.11.0/24,192.168.10.0/24}
rightid=@wyckoff-orion
right=%defaultroute
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
leftid=@orion-wyckoff
left=68.195.193.42
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
orion:
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=add
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightid=@wyckoff-orion
rightsubnets={192.168.11.0/24,192.168.10.0/24}
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7m...
leftid=@orion-wyckoff
left=68.195.193.42
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54t...
I've also included below the output from "ipsec look" on wyckoff:
wyckoff.crabdance.com Wed Jan 8 19:38:22 EST 2020
XFRM state:
src 68.195.193.42 dst 10.201.2.2
proto esp spi 0x3ad1eee4 reqid 16401 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x5b1409a2de0d11021960f6d5bb6cde4d50fe166dfa546a4874c7609103bdc3bf2940c508
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.201.2.2 dst 68.195.193.42
proto esp spi 0x36bd769b reqid 16401 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x938a96c089253ce376b15a71c7881ce71d0bab11bef58c3790eb1405f331b94cbab167d3
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.195.193.42 dst 10.201.2.2
proto esp spi 0xa8872682 reqid 16393 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0xc8903b08830223b3fd017ab12f5f9f672c33797a3ad76a3bd227e5ff4398b97fb711fbf3
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.201.2.2 dst 68.195.193.42
proto esp spi 0x8da4366d reqid 16393 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x7cb46ddff9474c453b1ace2f222e42029035473bc171b818ea2d31cbc87d510c97286c3a
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.195.193.42 dst 10.201.2.2
proto esp spi 0x6b3ab1b7 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x0a1e93600493c4ab8592481e74bde2d6d4c9b1e6f4a7b87932d04cbe296aa31be4c6dadc
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.201.2.2 dst 68.195.193.42
proto esp spi 0xb6ccd55f reqid 16397 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x9597b3fb49b9cd4a6f1d95434786be7d1911a74123d296bbf470e9752725c5453143251b
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.195.193.42 dst 10.201.2.2
proto esp spi 0x65f105c8 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0xe0fd5d99dc84bc57ee6b94211b125ee030fa3387647a9ecd9ebed1e91f75f39236ed4bff
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.201.2.2 dst 68.195.193.42
proto esp spi 0x5dc3fe92 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes))
0x73fb416324dfead7549ac30a8c246ba55d3ef2ef195a603040ddbb2f52cc77bad53af067
128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
XFRM policy:
src 192.168.1.0/24 dst 192.168.10.0/24
dir fwd priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16393 mode tunnel
src 192.168.1.0/24 dst 192.168.10.0/24
dir in priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16393 mode tunnel
src 192.168.1.0/24 dst 192.168.11.0/24
dir fwd priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16389 mode tunnel
src 192.168.1.0/24 dst 192.168.11.0/24
dir in priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16389 mode tunnel
src 192.168.10.0/24 dst 192.168.1.0/24
dir out priority 1042407 ptype main
tmpl src 10.201.2.2 dst 68.195.193.42
proto esp reqid 16393 mode tunnel
src 192.168.10.0/24 dst 192.168.6.0/24
dir out priority 1042407 ptype main
tmpl src 10.201.2.2 dst 68.195.193.42
proto esp reqid 16401 mode tunnel
src 192.168.11.0/24 dst 192.168.1.0/24
dir out priority 1042407 ptype main
tmpl src 10.201.2.2 dst 68.195.193.42
proto esp reqid 16389 mode tunnel
src 192.168.11.0/24 dst 192.168.6.0/24
dir out priority 1042407 ptype main
tmpl src 10.201.2.2 dst 68.195.193.42
proto esp reqid 16397 mode tunnel
src 192.168.6.0/24 dst 192.168.10.0/24
dir fwd priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16401 mode tunnel
src 192.168.6.0/24 dst 192.168.10.0/24
dir in priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16401 mode tunnel
src 192.168.6.0/24 dst 192.168.11.0/24
dir fwd priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16397 mode tunnel
src 192.168.6.0/24 dst 192.168.11.0/24
dir in priority 1042407 ptype main
tmpl src 68.195.193.42 dst 10.201.2.2
proto esp reqid 16397 mode tunnel
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 10.201.2.1 dev enp4s0 proto static metric 100
10.201.2.0/24 dev enp4s0 proto kernel scope link src 10.201.2.2 metric 100
192.168.10.0/24 dev enp2s0 proto kernel scope link src 192.168.10.1 metric 101
192.168.11.0/24 dev enp2s0 proto kernel scope link src 192.168.11.1 metric 101
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev enp4s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
More information about the Swan
mailing list