[Swan] Road Warrior config

Paul Wouters paul at nohats.ca
Mon Aug 30 20:40:10 UTC 2021 

On Mon, 30 Aug 2021, brendan kearney wrote:

> On Mon, Aug 16, 2021, 2:05 PM brendan kearney <bpk678 at gmail.com> wrote:
>       I have a road warrior config setup, and the tunnel establishes without
>       issue.  the problem i cannot track down is why the client never
>       receives a reply (properly?).  if i ping anything, or send any other
>       traffic down the tunnel, i can see it on the "server" side.  in the
>       case of pings, i can see the response, but the client does not
>       register the reply.  there are no firewalls in the path or running
>       locally on either the client or the server.  where can i look for why
>       traffic is not registering with the client (i believe its actually
>       getting to the client)?

Are you also sure there is no NAT happening for the traffic? My guess is
because the below config is going to use the client public IP, than you
are accidentally NATing things.

>       client config:
>       # Remote Access Connection
>       conn rac
>           # Connection Parameters
>           auto=add
>           authby=secret
>           #type=transport
>           ikev2=insist
>           ikelifetime=24h
>           salifetime=1h
>           rekey=yes
>           fragmentation=yes
>           compress=yes
>           # Dead Peer Detection
>           dpddelay=30
>           dpdtimeout=120
>           dpdaction=clear
>           # Local Definitions
>           left=%defaultroute
>           #leftsubnet=0.0.0.0/0
>           leftid=munin.bpk2.com
>           leftmodecfgclient=yes
>           # Remote Definitions
>           right=router-ext.bpk2.com
>           rightsubnet=0.0.0.0/0
>           # Pull Configs from Remote
>           modecfgpull=yes

I am missing leftsubnet=0.0.0.0/0 and narrowing=yes to ensure the client
gets a dynamic IP from the server's addresspool.

>       server config:
>       # Remote Access Connection
>       conn rac
>           # Configuration Parameters
>           auto=add
>           authby=secret
>           #type=transport
>           ikelifetime=24h
>           salifetime=1h
>           ikev2=insist
>           rekey=yes
>           fragmentation=yes
>           compress=yes

Don't use compress=yes

>           # Dead Peer Detection
>           dpddelay=30
>           dpdtimeout=120
>           dpdaction=clear
>           # Local Definitions
>           left=192.168.152.254
>           leftsubnet=0.0.0.0/0
>           #leftid=ipsec.bpk2.com
>           leftid=router-ext.bpk2.com
>           # Remote Definitions
>           right=%any
>           rightid=%any
>           #rightsubnet=vhost:%priv,%no
>           #rightsubnet=0.0.0.0/0
>           rightaddresspool=192.168.152.50-192.168.152.99
>           # Push Configs to Remote
>           modecfgdns=192.168.120.254
>           modecfgdomains=bpk2.com

Ensure that 192.168.152.50-192.168.152.99 would be properly routed and
our NATed depending on what you want to accomplish. If you just want
the vpn client to get "internet access", you need to SNAT or MASQUERADE
the traffic with these source IPs.

Paul

More information about the Swan mailing list