[Swan] LibreSwan VPN Established | No Data Passing Through

[Paul Wouters]

Yes 😀

Sent using a virtual keyboard on a phone

> On Nov 18, 2022, at 11:58, Nick Howitt <nick at howitts.co.uk> wrote:
> 
> 
> 
>> On 18/11/2022 16:07, Paul Wouters wrote:
>>> On Fri, 18 Nov 2022, Kumar P S Udai wrote:
>>> One is at the HO establishing connection to three other branch offices, while all three are
>>> getting connected, at one branch office the public IP is not configured on the machine directly,
>>> but on an external vendor's router.  Initially I had trouble establishing connection to this unit,
>>> but after a lot of reading and config change, the connection is getting established now, but I
>>> cannot ping or reach each other.  Attaching the config details FYI please.  Would appreciate any
>>> help from the community.
>>> ON MACHINE PLUTO
>>> 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6 esp.fdc71b0a at 10.10.128.100 tun.0 at 9.8.7.6
>>> tun.0 at 10.10.128.100 Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
>> Note traffic coming in, but no traffic going out.
>>> ON MACHINE EUROPA
>>> 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4 esp.716c376b at 9.8.7.6 tun.0 at 1.2.3.4 tun.0 at 9.8.7.6
>>> Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
>>> 000
>> traffic going out, but no traffic coming in.
>> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing
>> the traffic before it gets to be IPsec'ed
>> On PLUTO try:
>> iptables -I FORWARD -t nat -s 192.168.14.0/24  -d 192.168.1.0/24 -j RETURN
> Don't you want the POSTROUTING rule from https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working? I don't believe there is a FORWARD chain in the nat table.
> 
> If you want a FORWARD rule as well, you can use the generic:
> iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> 
> Then you don't have to bother about subnets.
> 
> Nick
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan