[Swan] Tunnel is up, but getting udp port xxxx unreachable

Brendan Kearney bpk678 at gmail.com
Wed Dec 21 20:19:38 EET 2022 

list members,

i am working on some tunnels, and in all cases i can get the tunnel to 
come up but replies seem to be rejected.  in my road warrior config, the 
connecting client is seen replying with ICMP udp port unreachable messages:

[root at vpn ipsec.d]# tcpdump -n -s0 -i bond0 host 192.168.152.50
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144 
bytes
13:07:31.560280 IP 192.168.152.50.54837 > 192.168.120.254.domain: 20531+ 
A? relp.bpk2.com. (31)
13:07:31.561120 IP 192.168.120.254.domain > 192.168.152.50.54837: 20531* 
1/0/0 A 192.168.120.4 (47)
13:07:31.561201 IP 192.168.152.50 > 192.168.120.254: ICMP 192.168.152.50 
udp port 54837 unreachable, length 83

the client, 192.168.152.50, is trying to lookup a logging destination 
against the DNS server.  The DNS server replies with the address.  then 
the ICMP port unreachable message.  i have a sneaking suspicion that the 
ICMP message is coming from the vpn server, and not the vpn client, 
because there is some config option i am missing.

i have forwarding turned on in sysctl, and ICMP redirects turned off.  
additionally, source route verification is set to "loose" 
(net.ipv4.conf.*.rp_filter = 2).

what am i missing that is causing these port unreachable messages?

VPN Server config:

# Remote Access Connection
conn rac
     # Local Definitions
     left=ipsec.bpk2.com
     leftsubnet=0.0.0.0/0
     # Remote Definitions
     right=%any
     rightid=%any
     rightaddresspool=192.168.152.50-192.168.152.99
     # Configuration Parameters
     auto=add
     authby=secret
     ikelifetime=24h
     salifetime=1h
     ikev2=insist
     rekey=yes
     fragmentation=yes
     # Dead Peer Detection
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear

VPN Client config:

# Remote Access Connection
conn rac
     # Local Definitions
     left=%defaultroute
     leftsubnet=0.0.0.0/0
     leftmodecfgclient=yes
     # Remote Definitions
     right=host.domain.tld
     rightid=192.168.152.254
     rightsubnet=0.0.0.0/0
     # Configuration Parameters
     auto=add
     authby=secret
     ikev2=insist
     ikelifetime=24h
     salifetime=1h
     rekey=yes
     fragmentation=yes
     # Dead Peer Detection
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear

thanks in advance,

brendan kearney

More information about the Swan mailing list