[Swan] LibreSwan VPN Established | No Data Passing Through
Nick Howitt
nick at howitts.co.uk
Fri Nov 18 18:58:00 EET 2022
On 18/11/2022 16:07, Paul Wouters wrote:
>
> On Fri, 18 Nov 2022, Kumar P S Udai wrote:
>
>> One is at the HO establishing connection to three other branch
>> offices, while all three are
>> getting connected, at one branch office the public IP is not
>> configured on the machine directly,
>> but on an external vendor's router. Initially I had trouble
>> establishing connection to this unit,
>> but after a lot of reading and config change, the connection is
>> getting established now, but I
>> cannot ping or reach each other. Attaching the config details FYI
>> please. Would appreciate any
>> help from the community.
>
>> ON MACHINE PLUTO
>
>> 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6 esp.fdc71b0a at 10.10.128.100
>> tun.0 at 9.8.7.6
>> tun.0 at 10.10.128.100 Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
>
> Note traffic coming in, but no traffic going out.
>
>> ON MACHINE EUROPA
>
>> 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4 esp.716c376b at 9.8.7.6
>> tun.0 at 1.2.3.4 tun.0 at 9.8.7.6
>> Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
>> 000
>
> traffic going out, but no traffic coming in.
>
> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing
> the traffic before it gets to be IPsec'ed
>
> On PLUTO try:
>
> iptables -I FORWARD -t nat -s 192.168.14.0/24 -d 192.168.1.0/24 -j RETURN
>
Don't you want the POSTROUTING rule from
https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working? I don't
believe there is a FORWARD chain in the nat table.
If you want a FORWARD rule as well, you can use the generic:
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
Then you don't have to bother about subnets.
Nick
More information about the Swan
mailing list