Re: [Swan] roadwarrior connects but no data

2018-10-05 Thread Paul Wouters 

On Fri, 5 Oct 2018, Johannes C. Schulz wrote:


$ ip route                        
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 
xx.yyy.zzz.vv dev vti0 scope link 


I don't see a src entry here. If the source ip is not the default IP,
then you're in trouble because it would use the wrong source ip to
route into the VTI device, and then not match the IPsec policy.

You can see problems like this by checking the errors counters in
/proc/net/xfrm_stat

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] roadwarrior connects but no data

2018-10-05 Thread Johannes C. Schulz 
Hi Paul

Thanks for your answer. But sadly, this did not help.

$ ip route
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
xx.yyy.zzz.vv dev vti0 scope link
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100

$ route
Kernel-IP-Routentabelle
ZielRouter  Genmask Flags Metric RefUse
Iface
default _gateway0.0.0.0 UG10000
enp0s12u2
.dip0. 0.0.0.0 255.255.255.255 UH0  00 vti0
link-local  0.0.0.0 255.255.0.0 U 1000   00
enp0s12u2
192.168.42.00.0.0.0 255.255.255.0   U 10000
enp0s12u2


192.168.42.x is the clients network
xx.yyy.zzz.vv is internet-ip of remote network behind some domain
192.168.92.x is the remote network I want to access

Whats wrong with my config?

Best regards
Johannes




Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters :

> On Thu, 4 Oct 2018, Johannes C. Schulz wrote:
>
> > Hello LibreSwan community!It was a long way to get my libreswan
> connecting to a vpn-server (which is actually a dsl-router from bintec).
> The server accepts IPsec IKEv1
> > connection with PSK. I can connect, but there is no traffic through the
> tunnel.
> > The problem must be on roadwarriors-side, because I can connect and
> transfer data through the tunnel if I connect with a windows machine to the
> vpn-server (using
> > ShrewSoft).
> >
> > I wrote this config:
> >
> > config setup
> > protostack  =   netkey
> >
> > conn Office1
> > authby  =   secret
> > right   =   some.domain.tld
> > rightid =   @Office_admin
> > rightnexthop=   %defaultroute
> > left=   192.168.42.91
> > leftsubnet  =   192.168.92.0/24
> > leftvti =   192.168.92.234/24
> > leftid  =   @Office
> > keyexchange =   ike
> > ike =   aes256-sha2;modp2048
> > esp =   aes256-sha2;modp2048
> > ikelifetime =   4h
> > keylife =   8h
> > auto=   add
> > aggrmode=   yes
> > vti-interface = vti0
> > vti-routing =   yes
> > mark=   5/0x
>
> Try adding sha2_truncbug=yes and see if that fixes your issue. The
> router might be doing "broken linux compatibility" mode by default.
>
> > netstat -r -n
> > Kernel-IP-Routentabelle
> > ZielRouter  Genmask Flags   MSS Fenster irtt
> Iface
> > 0.0.0.0 192.168.42.129  0.0.0.0 UG0 0  0
> enp0s12u2
> > xx.yyy.zzz.vv   0.0.0.0 255.255.255.255 UH0 0  0
> vti0
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0  0
> enp0s12u2
> > 192.168.42.00.0.0.0 255.255.255.0   U 0 0  0
> enp0s12u2
> > 192.168.92.00.0.0.0 255.255.255.0   U 0 0  0
> vti0
>
> What does "ip route" say. It is important to see if you got the proper
> route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's
> IP ?
>
> > ping 192.168.92.10
> > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
> > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
>
> Is this in the remote end? because you defined that to be on your end?
>
> Paul
>


-- 
Viele Grüße
Johannes C. Schulz

„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan