[Swan] Road warriors and dhcp

Alex mysqlstudent at gmail.com
Thu Jan 7 15:50:22 UTC 2021 

Hi,

> > Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
> > 192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
> > network.
>
> Then that is really an issue of routing/nat/firewall on the VPN server.
> Check the vpn server works properly with: ping -I 192.168.6.1 192.168.1.x work ?

Yes, it does work properly. I can also ping the 192.168.6.1 gateway
from a host on the 192.168.1.1 network.

With the leftsubnet=192.168.6.0/24 I can ping the 192.168.6.1 gateway
on the client. I can also view the traffic with tcpdump. However,
there simply isn't any traffic received (tcpdump -ni any host
172.58.238.253) when trying to then ping the 192.168.1.0/24 network.

Is it possible it's still a routing issue?

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         68.195.111.41   0.0.0.0         UG    0      0        0 br0
68.195.111.40   0.0.0.0         255.255.255.248 U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.2     0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Also, the vpn link disconnects on the client side very quickly. I do
see keepalive messages. Is that related?

10:44:14.497568 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
isakmp-nat-keep-alive
10:44:14.497568 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
isakmp-nat-keep-alive

This is the traffic I see when pinging the 192.168.6.1 gateway:

10:45:10.146464 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
UDP-encap: ESP(spi=0xc1163130,seq=0x1), length 100
10:45:10.146464 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
UDP-encap: ESP(spi=0xc1163130,seq=0x1), length 100

Is it helpful to have the output from "shorewall show ipsec"?

src 192.168.6.0/24 dst 192.168.6.2/32 uid 0
        dir out action allow index 32617 priority 2084799 ptype main
share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
        tmpl src 68.195.111.42 dst 172.58.238.253
                proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
        dir fwd action allow index 32610 priority 2084799 ptype main
share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2021-01-07 10:43:55 use -
        tmpl src 172.58.238.253 dst 68.195.111.42
                proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
        dir in action allow index 32600 priority 2084799 ptype main
share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
        tmpl src 172.58.238.253 dst 68.195.111.42
                proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

src 172.58.238.253 dst 68.195.111.42
        proto esp spi 0xc1163130(3239457072) reqid 16417(0x00004021) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        encap type espinudp sport 27040 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          240(bytes), 4(packets)
          add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
        stats:
          replay-window 0 replay 0 failed 0
src 68.195.111.42 dst 172.58.238.253
        proto esp spi 0x273a4da8(658132392) reqid 16417(0x00004021) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        encap type espinudp sport 4500 dport 27040 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          240(bytes), 4(packets)
          add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
        stats:
          replay-window 0 replay 0 failed 0

Thanks so much.

More information about the Swan mailing list