[Swan] LibreSwan VPN Established | No Data Passing Through

Nick Howitt nick at howitts.co.uk
Wed Nov 23 12:48:44 EET 2022 


On 23/11/2022 05:03, Kumar P S Udai wrote:
> Hi Paul
> This was slightly confusing, because when I try to ping the HO(Europa) 
> machin's private IP (192.168.1.1), I get a destination host unreachable 
> message, all the while there was no change in the ESPout which remained 
> at 0. However when I tried to ping a particular machine within the HO 
> Lan such as 19.168.1.10, there is no reply, but the ESPout is going up 
> 1K, 3K, 5K and so on...
> 
> Thanks, Best Regards
> 
> Udaiai
Check your firewalling in your libreswan machines. I use the following:
     # Generic IPsec rules - normally you don't need the last two
     iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
     iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
     iptables -I POSTROUTING -t nat -m policy --dir out --pol ipsec  -j 
ACCEPT

Return traffic is allowed by default.

Also, when pinging 192.168.1.10, be careful if it is a Windoze box. The 
Windoze firewall will often be set up to block pings from outside its 
own LAN and your pings will have a source IP from the other LAN. In that 
case, you either temporarily stop the firewall or set up a rule to allow 
the remote LAN.

Nick
> 
> On Sun, 20 Nov 2022 at 04:54, Paul Wouters <paul at nohats.ca 
> <mailto:paul at nohats.ca>> wrote:
> 
>     Can you ping from that machine using its internal IP and see if
>     ESPout increases ?
> 
>     Sent using a virtual keyboard on a phone
> 
>>     On Nov 19, 2022, at 13:14, Kumar P S Udai <kumar.udai at zuwissen.com
>>     <mailto:kumar.udai at zuwissen.com>> wrote:
>>
>>     
>>     Hi Paul
>>     I tried the above step and a few other possibilities too, but
>>     there is no change in result
>>
>>     000 #8: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established
>>     IKE SA); EVENT_SA_REKEY in 26251s; newest ISAKMP; idle;
>>     000 #9: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
>>     established); EVENT_SA_REKEY in 26637s; newest IPSEC; eroute
>>     owner; isakmp#8; idle;
>>     000 #9: "PLSUBNET" esp.1ef8c43f at 9.8.7.6
>>     <mailto:esp.1ef8c43f at 9.8.7.6> esp.1e4d5a5 at 10.10.128.100
>>     <mailto:esp.1e4d5a5 at 10.10.128.100> tun.0 at 9.8.7.6
>>     <mailto:tun.0 at 9.8.7.6> tun.0 at 10.10.128.100
>>     <mailto:tun.0 at 10.10.128.100> Traffic: ESPin=5KB ESPout=0B! ESPmax=0B
>>
>>     I use nftables on the machine and I added the equivalent command,
>>     but to no avail.  Also for an experiment's sake, I disabled the
>>     NAT function on that machine and kept only the filter ruleset, but
>>     even that did not change anything.
>>
>>     Thanks, best regards
>>
>>     Udai
>>
>>     On Fri, 18 Nov 2022 at 21:37, Paul Wouters <paul at nohats.ca
>>     <mailto:paul at nohats.ca>> wrote:
>>
>>         On Fri, 18 Nov 2022, Kumar P S Udai wrote:
>>
>>         > One is at the HO establishing connection to three other
>>         branch offices, while all three are
>>         > getting connected, at one branch office the public IP is not
>>         configured on the machine directly,
>>         > but on an external vendor's router.  Initially I had trouble
>>         establishing connection to this unit,
>>         > but after a lot of reading and config change, the connection
>>         is getting established now, but I
>>         > cannot ping or reach each other.  Attaching the config
>>         details FYI please.  Would appreciate any
>>         > help from the community.
>>
>>         > ON MACHINE PLUTO
>>
>>         > 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6
>>         <mailto:esp.716c376b at 9.8.7.6> esp.fdc71b0a at 10.10.128.100
>>         <mailto:esp.fdc71b0a at 10.10.128.100> tun.0 at 9.8.7.6
>>         <mailto:tun.0 at 9.8.7.6>
>>         > tun.0 at 10.10.128.100 <mailto:tun.0 at 10.10.128.100> Traffic:
>>         ESPin=1KB ESPout=0B! ESPmax=0B
>>
>>         Note traffic coming in, but no traffic going out.
>>
>>         > ON MACHINE EUROPA
>>
>>         > 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4
>>         <mailto:esp.fdc71b0a at 1.2.3.4> esp.716c376b at 9.8.7.6
>>         <mailto:esp.716c376b at 9.8.7.6> tun.0 at 1.2.3.4
>>         <mailto:tun.0 at 1.2.3.4> tun.0 at 9.8.7.6 <mailto:tun.0 at 9.8.7.6>
>>         > Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
>>         > 000
>>
>>         traffic going out, but no traffic coming in.
>>
>>         I suspect that on machine PLUTO, there is a NAT rule that ends
>>         up NATing
>>         the traffic before it gets to be IPsec'ed
>>
>>         On PLUTO try:
>>
>>         iptables -I FORWARD -t nat -s 192.168.14.0/24
>>         <http://192.168.14.0/24>  -d 192.168.1.0/24
>>         <http://192.168.1.0/24> -j RETURN
>>
>>         Paul
>>
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list