[Swan] Road warriors and dhcp
Alex
mysqlstudent at gmail.com
Thu Jan 7 15:50:22 UTC 2021
Hi,
> > Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
> > 192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
> > network.
>
> Then that is really an issue of routing/nat/firewall on the VPN server.
> Check the vpn server works properly with: ping -I 192.168.6.1 192.168.1.x work ?
Yes, it does work properly. I can also ping the 192.168.6.1 gateway
from a host on the 192.168.1.1 network.
With the leftsubnet=192.168.6.0/24 I can ping the 192.168.6.1 gateway
on the client. I can also view the traffic with tcpdump. However,
there simply isn't any traffic received (tcpdump -ni any host
172.58.238.253) when trying to then ping the 192.168.1.0/24 network.
Is it possible it's still a routing issue?
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 68.195.111.41 0.0.0.0 UG 0 0 0 br0
68.195.111.40 0.0.0.0 255.255.255.248 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.6.2 0.0.0.0 255.255.255.255 UH 0 0 0 br0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Also, the vpn link disconnects on the client side very quickly. I do
see keepalive messages. Is that related?
10:44:14.497568 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
isakmp-nat-keep-alive
10:44:14.497568 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
isakmp-nat-keep-alive
This is the traffic I see when pinging the 192.168.6.1 gateway:
10:45:10.146464 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
UDP-encap: ESP(spi=0xc1163130,seq=0x1), length 100
10:45:10.146464 IP 172.58.238.253.27040 > 68.195.111.42.ipsec-nat-t:
UDP-encap: ESP(spi=0xc1163130,seq=0x1), length 100
Is it helpful to have the output from "shorewall show ipsec"?
src 192.168.6.0/24 dst 192.168.6.2/32 uid 0
dir out action allow index 32617 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
tmpl src 68.195.111.42 dst 172.58.238.253
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
dir fwd action allow index 32610 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use -
tmpl src 172.58.238.253 dst 68.195.111.42
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
dir in action allow index 32600 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
tmpl src 172.58.238.253 dst 68.195.111.42
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.58.238.253 dst 68.195.111.42
proto esp spi 0xc1163130(3239457072) reqid 16417(0x00004021) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
encap type espinudp sport 27040 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
240(bytes), 4(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
stats:
replay-window 0 replay 0 failed 0
src 68.195.111.42 dst 172.58.238.253
proto esp spi 0x273a4da8(658132392) reqid 16417(0x00004021) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
encap type espinudp sport 4500 dport 27040 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
240(bytes), 4(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
stats:
replay-window 0 replay 0 failed 0
Thanks so much.
More information about the Swan
mailing list