Re: [Swan] Traffic not routing down tunnel

Sat, 17 Jan 2015 14:38:18 -0800 

On Sat, 17 Jan 2015, Phil Daws wrote:


No joy :( its probably compounded by the setup in my lab as-well. Let me break 
it down:

Left Side:

eth0: 37.XXX.XXX.XXX
eth1: 10.1.8.1/24
eth2: 10.1.10.1/24
eth3: 10.1.14.1/24

Right Side:

eth0: 88.XXX.XXX.XXX
eth1: 10.2.8.1/24
eth2: 10.2.10.1/24
eth3: 10.2.14.1/24

have just been able to connect from an address on 10.2.10.10 too 10.1.8.200 so 
the tunnel is alive but routing must be mangled viz. if I try and connect too 
10.1.8.1 it just sits there ?!?! and that should work as my VPN does connect to 
that IP.  This is without the left/right source ip.

Getting closer, to understand this, and hopefully working :)


If you want the left server (itself) to be able to reach the right subnets, and
the right server (itself) to be able to reach the left subnets, you have
to ensure that the server's inner IP is used for communicating to those
remote subnets.

so if using

        leftsubnets=10.1.8.0/24,10.1.10.0/24,10.1.14.0/24
        rightsubnets=10.2.8.0/24,10.2.10.0/24,10.2.14.0/24

then adding

        leftsourceip=10.1.8.1
        rightsourceip=10.2.8.1

should do the trick.

However, you could also use your public IP as an additional subnet:

        leftsubnets=10.1.8.0/24,10.1.10.0/24,10.1.14.0/24,37.XXX.XXX.XXX/32
        rightsubnets=10.2.8.0/24,10.2.10.0/24,10.2.14.0/24,88.XXX.XXX.XXX/32

Then you will have explicit IPsec tunnels from your public IP to your
LANs. Less useful if you are dynamic IP. It also means your firewal
rules on the hosts might need to allow those public IPs to private LANs,
whereas with the first trick, your gateway will use a LAN IP so you dont
have to have any firewall rules related to its public IP.


You probably also want a rule along the lines of:

iptables -I POSTROUTING -t nat -d 10/8 -j RETURN

to exclude all subnet tunnel traffic from getting NAT'ed.
(you can add -s 10/8 if not building tunnels with the public IP)

Various ways to shoot yourself in the foot are warned against in "ipsec
verify".

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to