[Swan] Road Warrior config
Paul Wouters
paul.wouters at aiven.io
Wed Aug 18 22:40:11 UTC 2021
On Mon, 16 Aug 2021, brendan kearney wrote:
> I have a road warrior config setup, and the tunnel establishes without
> issue. the problem i cannot track down is why the client never
> receives a reply (properly?). if i ping anything, or send any other
> traffic down the tunnel, i can see it on the "server" side. in the
> case of pings, i can see the response, but the client does not
> register the reply.
check on the client what "ipsec trafficstatus" says? If you see
inBytes=0 then perhaps a a client side firewall is in the way.
You can check /proc/net/xfrm_stat for non-zero listings indicating
a problem with the IPsec policies or states.
> there are no firewalls in the path or running
> locally on either the client or the server. where can i look for why
> traffic is not registering with the client (i believe its actually
> getting to the client)?
Check and /or disable rp_filter ?
> conn rac
> # Connection Parameters
> auto=add
> authby=secret
> #type=transport
> ikev2=insist
> ikelifetime=24h
> salifetime=1h
> rekey=yes
> fragmentation=yes
> compress=yes
> # Dead Peer Detection
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> # Local Definitions
> left=%defaultroute
> #leftsubnet=0.0.0.0/0
> leftid=munin.bpk2.com
> leftmodecfgclient=yes
> # Remote Definitions
> right=router-ext.bpk2.com
> rightsubnet=0.0.0.0/0
> # Pull Configs from Remote
> modecfgpull=yes
I don't see narrowing=yes in the cient config that would cause the
client to narrow to the IP address it gets from the server address
pool. So re-enable leftsubnet=0.0.0.0/0 and add narrowing=yes
> server config:
> # Remote Access Connection
> conn rac
> # Configuration Parameters
> auto=add
> authby=secret
> #type=transport
> ikelifetime=24h
> salifetime=1h
> ikev2=insist
> rekey=yes
> fragmentation=yes
> compress=yes
> # Dead Peer Detection
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> # Local Definitions
> left=192.168.152.254
> leftsubnet=0.0.0.0/0
> #leftid=ipsec.bpk2.com
> leftid=router-ext.bpk2.com
> # Remote Definitions
> right=%any
> rightid=%any
> #rightsubnet=vhost:%priv,%no
> #rightsubnet=0.0.0.0/0
> rightaddresspool=192.168.152.50-192.168.152.99
If you are handing out IPs from the local LAN network, that does
complicate routing a bit if you are trying to reach other
resources in the LAN. If you only care about getting an IP and
internet access that is okay. Otherwise I would recommend picking
another range for the addresspool, like 100.64.0.0/16 as addresspool.
That also clearly seperates NAT for the addresspool and your LAN.
Paul
More information about the Swan
mailing list