[Swan] Tunnel is up, but getting udp port xxxx unreachable
brendan kearney
bpk678 at gmail.com
Fri Dec 30 20:18:01 EET 2022
Thanks for the reply.
For testing, the client would be natively on the 192.168.1.0/24 network if
wired, or the 192.168.24.0/24 network if wireless, so the IP ranges and
subnet for the IPSec connection are on a separate network.
I do have proxy arp configured on the VPN box, already. Not sure if that
clobbers things.
I am running BGP on the box too, and injecting the route to the
192.168.152.0/24 network via the on-wire interface. Would dynamic routing
cause any interference?
Thanks and happy new year,
Brendan
On Thu, Dec 29, 2022, 6:44 PM Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 21 Dec 2022, Brendan Kearney wrote:
>
> > Subject: [Swan] Tunnel is up, but getting udp port xxxx unreachable
>
> > connecting client is seen replying with ICMP udp port unreachable
> messages:
>
> > VPN Server config:
> > conn rac
> > leftsubnet=0.0.0.0/0
> > right=%any
> > rightaddresspool=192.168.152.50-192.168.152.99
>
> [...]
>
> > VPN Client config:
> > conn rac
> > left=%defaultroute
> > leftsubnet=0.0.0.0/0
> > leftmodecfgclient=yes
> > # Remote Definitions
> > right=host.domain.tld
> > rightid=192.168.152.254
> > rightsubnet=0.0.0.0/0
>
> You are handing out IPs in the same /24 as the LAN itself? That might
> cause problems if machines in the LAN are a true /24. You would need
> proxyarp and what not and it complicates things.
>
> I'd recommend splitting of the addresspool into a real seperate network.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221230/b7cd544e/attachment.htm>
More information about the Swan
mailing list