[Swan] Road Warrior config

Paul Wouters paul.wouters at aiven.io
Wed Aug 18 22:40:11 UTC 2021


On Mon, 16 Aug 2021, brendan kearney wrote:

> I have a road warrior config setup, and the tunnel establishes without
> issue.  the problem i cannot track down is why the client never
> receives a reply (properly?).  if i ping anything, or send any other
> traffic down the tunnel, i can see it on the "server" side.  in the
> case of pings, i can see the response, but the client does not
> register the reply.

check on the client what "ipsec trafficstatus" says? If you see
inBytes=0 then perhaps a a client side firewall is in the way.

You can check /proc/net/xfrm_stat for non-zero listings indicating
a problem with the IPsec policies or states.

>  there are no firewalls in the path or running
> locally on either the client or the server.  where can i look for why
> traffic is not registering with the client (i believe its actually
> getting to the client)?

Check and /or disable rp_filter ?

> conn rac
>    # Connection Parameters
>    auto=add
>    authby=secret
>    #type=transport
>    ikev2=insist
>    ikelifetime=24h
>    salifetime=1h
>    rekey=yes
>    fragmentation=yes
>    compress=yes
>    # Dead Peer Detection
>    dpddelay=30
>    dpdtimeout=120
>    dpdaction=clear
>    # Local Definitions
>    left=%defaultroute
>    #leftsubnet=0.0.0.0/0
>    leftid=munin.bpk2.com
>    leftmodecfgclient=yes
>    # Remote Definitions
>    right=router-ext.bpk2.com
>    rightsubnet=0.0.0.0/0
>    # Pull Configs from Remote
>    modecfgpull=yes

I don't see narrowing=yes in the cient config that would cause the
client to narrow to the IP address it gets from the server address
pool. So re-enable leftsubnet=0.0.0.0/0 and add narrowing=yes

> server config:
> # Remote Access Connection
> conn rac
>    # Configuration Parameters
>    auto=add
>    authby=secret
>    #type=transport
>    ikelifetime=24h
>    salifetime=1h
>    ikev2=insist
>    rekey=yes
>    fragmentation=yes
>    compress=yes
>    # Dead Peer Detection
>    dpddelay=30
>    dpdtimeout=120
>    dpdaction=clear
>    # Local Definitions
>    left=192.168.152.254
>    leftsubnet=0.0.0.0/0
>    #leftid=ipsec.bpk2.com
>    leftid=router-ext.bpk2.com
>    # Remote Definitions
>    right=%any
>    rightid=%any
>    #rightsubnet=vhost:%priv,%no
>    #rightsubnet=0.0.0.0/0
>    rightaddresspool=192.168.152.50-192.168.152.99

If you are handing out IPs from the local LAN network, that does
complicate routing a bit if you are trying to reach other
resources in the LAN. If you only care about getting an IP and
internet access that is okay. Otherwise I would recommend picking
another range for the addresspool, like 100.64.0.0/16 as addresspool.

That also clearly seperates NAT for the addresspool and your LAN.

Paul



More information about the Swan mailing list