Hi,
Thanks for the reply.
: ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.20 (netkey) on 4.9.20
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
I try to set a passthrough connection, but i must set it wrong.. because
i lost connection to the server on 192.168.0.254...
i try i simpler configuration without vlans:
1) WAN --- router --- eth0 LAN 192.168.0.0/24, server with ip
192.168.10.1, xauth pool 192.168.10.20-25, connection ok but cannot
connect to lan lan devices, connection ok to 192.168.10.1, from the
server i can ping the ip assign by ipsec, from lan, the same behavior,
the arp request arrives to the server, but no reply.
2) WAN --- router --- eth0 LAN 192.168.0.0/24, server with ip
192.168.10.1, and 192.168.20.1/24, xauth pool 192.168.20.20-25,
connection ok to lan devices and server on both 192.168.10.1 and
192.168.20.1.
I check sysctl and don't see any thing wrong, as for firewall rules
nothing is set, input, output, forward is accepting everything.
Also, i don't see any difference (a part from the ip address range) in
the xfrm policies installed.
Correcting if i'm wrong, but digging a litle more, there won't be any
mac associated with the ip/vpn client, so there is no arp entry in the
server, even with proxy-arp enabled the lan devices will never be able
to reach the vpn client.. because not arp will be found in the server.
So i always have to set a different network, like in the 2) setup, no?
Regard,
António
Saludos / Regards / Cumprimentos,
António silva
On 04/12/2017 09:49 PM, Paul Wouters wrote:
On Wed, 12 Apr 2017, Antonio Silva wrote:
My current setup:
--- eth0 (192.168.0.254/24)
WAN --- router --- vlan 1 on eth0 (192.168.168.254/24)
i set the ipsec conn with
rightaddresspool=192.168.168.87-192.168.168.90, the connection is
established and i get the ip 192.168.168.87 on my device.
I then can connect to the server against the ip 192.168.168.254, so
far good.
But when try to connect to a lan device, like 192.168.168.249,i
can't.. in tcpdump in the router i see the lan device sending the arp
request who as the 192.168.168.87, but no reply from the router, I've
set the proxy arp on the interface as suggested on the wiki
(https://libreswan.org/wiki/FAQ#Can_I_hand_out_LAN_IP_addresses_in_the_addresspool.3F),
but no luck...
net.ipv4.conf.eth0.proxy_arp=1
From the router i can ping 192.168.168.87.
Any suggestion on how to solve this? or this configuration is not
ideal and i must defined a different pool for the vpn side?
That should work. Try running "ipsec verify" and check your systemctl
settings and firewall rules?
You might also need a passthrough conn
conn passthrough
left=192.168.0.254
right=%any
leftsubnet=192.168.0.0/24
rightsubnet=192.168.0.0/24
auto=route
authby=never
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
