[Swan] LibreSwan VPN Established | No Data Passing Through

Kumar P S Udai kumar.udai at zuwissen.com
Wed Nov 23 07:03:16 EET 2022 

Hi Paul
This was slightly confusing, because when I try to ping the HO(Europa)
machin's private IP (192.168.1.1), I get a destination host unreachable
message, all the while there was no change in the ESPout which remained at
0. However when I tried to ping a particular machine within the HO Lan such
as 19.168.1.10, there is no reply, but the ESPout is going up 1K, 3K, 5K
and so on...

Thanks, Best Regards

Udaiai

On Sun, 20 Nov 2022 at 04:54, Paul Wouters <paul at nohats.ca> wrote:

> Can you ping from that machine using its internal IP and see if ESPout
> increases ?
>
> Sent using a virtual keyboard on a phone
>
> On Nov 19, 2022, at 13:14, Kumar P S Udai <kumar.udai at zuwissen.com> wrote:
>
> 
> Hi Paul
> I tried the above step and a few other possibilities too, but there is no
> change in result
>
> 000 #8: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA);
> EVENT_SA_REKEY in 26251s; newest ISAKMP; idle;
> 000 #9: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
> established); EVENT_SA_REKEY in 26637s; newest IPSEC; eroute owner;
> isakmp#8; idle;
> 000 #9: "PLSUBNET" esp.1ef8c43f at 9.8.7.6 esp.1e4d5a5 at 10.10.128.100
> tun.0 at 9.8.7.6 tun.0 at 10.10.128.100 Traffic: ESPin=5KB ESPout=0B! ESPmax=0B
>
> I use nftables on the machine and I added the equivalent command, but to
> no avail.  Also for an experiment's sake, I disabled the NAT function on
> that machine and kept only the filter ruleset, but even that did not change
> anything.
>
> Thanks, best regards
>
> Udai
>
> On Fri, 18 Nov 2022 at 21:37, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Fri, 18 Nov 2022, Kumar P S Udai wrote:
>>
>> > One is at the HO establishing connection to three other branch offices,
>> while all three are
>> > getting connected, at one branch office the public IP is not configured
>> on the machine directly,
>> > but on an external vendor's router.  Initially I had trouble
>> establishing connection to this unit,
>> > but after a lot of reading and config change, the connection is getting
>> established now, but I
>> > cannot ping or reach each other.  Attaching the config details FYI
>> please.  Would appreciate any
>> > help from the community.
>>
>> > ON MACHINE PLUTO
>>
>> > 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6 esp.fdc71b0a at 10.10.128.100
>> tun.0 at 9.8.7.6
>> > tun.0 at 10.10.128.100 Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
>>
>> Note traffic coming in, but no traffic going out.
>>
>> > ON MACHINE EUROPA
>>
>> > 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4 esp.716c376b at 9.8.7.6
>> tun.0 at 1.2.3.4 tun.0 at 9.8.7.6
>> > Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
>> > 000
>>
>> traffic going out, but no traffic coming in.
>>
>> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing
>> the traffic before it gets to be IPsec'ed
>>
>> On PLUTO try:
>>
>> iptables -I FORWARD -t nat -s 192.168.14.0/24  -d 192.168.1.0/24 -j
>> RETURN
>>
>> Paul
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221123/8c1aaab6/attachment.htm>

More information about the Swan mailing list