[Swan] LibreSwan VPN Established | No Data Passing Through
Paul Wouters
paul at nohats.ca
Sun Nov 20 01:24:07 EET 2022
Can you ping from that machine using its internal IP and see if ESPout increases ?
Sent using a virtual keyboard on a phone
> On Nov 19, 2022, at 13:14, Kumar P S Udai <kumar.udai at zuwissen.com> wrote:
>
>
> Hi Paul
> I tried the above step and a few other possibilities too, but there is no change in result
>
> 000 #8: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 26251s; newest ISAKMP; idle;
> 000 #9: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 26637s; newest IPSEC; eroute owner; isakmp#8; idle;
> 000 #9: "PLSUBNET" esp.1ef8c43f at 9.8.7.6 esp.1e4d5a5 at 10.10.128.100 tun.0 at 9.8.7.6 tun.0 at 10.10.128.100 Traffic: ESPin=5KB ESPout=0B! ESPmax=0B
>
> I use nftables on the machine and I added the equivalent command, but to no avail. Also for an experiment's sake, I disabled the NAT function on that machine and kept only the filter ruleset, but even that did not change anything.
>
> Thanks, best regards
>
> Udai
>
>> On Fri, 18 Nov 2022 at 21:37, Paul Wouters <paul at nohats.ca> wrote:
>> On Fri, 18 Nov 2022, Kumar P S Udai wrote:
>>
>> > One is at the HO establishing connection to three other branch offices, while all three are
>> > getting connected, at one branch office the public IP is not configured on the machine directly,
>> > but on an external vendor's router. Initially I had trouble establishing connection to this unit,
>> > but after a lot of reading and config change, the connection is getting established now, but I
>> > cannot ping or reach each other. Attaching the config details FYI please. Would appreciate any
>> > help from the community.
>>
>> > ON MACHINE PLUTO
>>
>> > 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6 esp.fdc71b0a at 10.10.128.100 tun.0 at 9.8.7.6
>> > tun.0 at 10.10.128.100 Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
>>
>> Note traffic coming in, but no traffic going out.
>>
>> > ON MACHINE EUROPA
>>
>> > 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4 esp.716c376b at 9.8.7.6 tun.0 at 1.2.3.4 tun.0 at 9.8.7.6
>> > Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
>> > 000
>>
>> traffic going out, but no traffic coming in.
>>
>> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing
>> the traffic before it gets to be IPsec'ed
>>
>> On PLUTO try:
>>
>> iptables -I FORWARD -t nat -s 192.168.14.0/24 -d 192.168.1.0/24 -j RETURN
>>
>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221119/80e04677/attachment.htm>
More information about the Swan
mailing list