[Swan] Tunnel is up, but getting udp port xxxx unreachable
Brendan Kearney
bpk678 at gmail.com
Wed Dec 21 20:19:38 EET 2022
list members,
i am working on some tunnels, and in all cases i can get the tunnel to
come up but replies seem to be rejected. in my road warrior config, the
connecting client is seen replying with ICMP udp port unreachable messages:
[root at vpn ipsec.d]# tcpdump -n -s0 -i bond0 host 192.168.152.50
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
13:07:31.560280 IP 192.168.152.50.54837 > 192.168.120.254.domain: 20531+
A? relp.bpk2.com. (31)
13:07:31.561120 IP 192.168.120.254.domain > 192.168.152.50.54837: 20531*
1/0/0 A 192.168.120.4 (47)
13:07:31.561201 IP 192.168.152.50 > 192.168.120.254: ICMP 192.168.152.50
udp port 54837 unreachable, length 83
the client, 192.168.152.50, is trying to lookup a logging destination
against the DNS server. The DNS server replies with the address. then
the ICMP port unreachable message. i have a sneaking suspicion that the
ICMP message is coming from the vpn server, and not the vpn client,
because there is some config option i am missing.
i have forwarding turned on in sysctl, and ICMP redirects turned off.
additionally, source route verification is set to "loose"
(net.ipv4.conf.*.rp_filter = 2).
what am i missing that is causing these port unreachable messages?
VPN Server config:
# Remote Access Connection
conn rac
# Local Definitions
left=ipsec.bpk2.com
leftsubnet=0.0.0.0/0
# Remote Definitions
right=%any
rightid=%any
rightaddresspool=192.168.152.50-192.168.152.99
# Configuration Parameters
auto=add
authby=secret
ikelifetime=24h
salifetime=1h
ikev2=insist
rekey=yes
fragmentation=yes
# Dead Peer Detection
dpddelay=30
dpdtimeout=120
dpdaction=clear
VPN Client config:
# Remote Access Connection
conn rac
# Local Definitions
left=%defaultroute
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
# Remote Definitions
right=host.domain.tld
rightid=192.168.152.254
rightsubnet=0.0.0.0/0
# Configuration Parameters
auto=add
authby=secret
ikev2=insist
ikelifetime=24h
salifetime=1h
rekey=yes
fragmentation=yes
# Dead Peer Detection
dpddelay=30
dpdtimeout=120
dpdaction=clear
thanks in advance,
brendan kearney
More information about the Swan
mailing list