-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An update:
On 5/6/2014 12:24 PM, Nels Lindquist wrote: > I'd like to migrate my current OpenSWAN VPN endpoints to > LibreSWAN, and to that end I've set up some testing boxes. I've > run into some difficulties as soon as NAT traversal is involved, > and I'm not quite sure why. > > LibreSWAN 3.8 is installed on CentOS 6.x from the EPEL yum > repository. We're using NSS x509 certificates for authentication. > > Host B resides on our DMZ. Traffic between the DMZ network and > the Corporate network passes through (and is restricted by) the > firewall, but no NAT is involved. Connections from Client A > (Windows 7) to Host B work perfectly. Connections from Client B to > Host B from the Internet do not connect. Host A, which is a mirror > of Host B, was moved from the DMZ to a colocation facility and has > a public IP address (no NAT). When Host A was in the local DMZ, > connections from Client A worked fine. Once Host A was moved out, > Client A (now NATted for connections to Host A) can no longer > connect to Host A. Client B can't connect to either Host A or Host > B, but can connect to our legacy OpenSWAN endpoint (also behind > NAT). > > > |========| |========| N|===========|---- DMZ Net > --- | Host B | | Host A |--- Internet --- A| Firewall | > |========| |========| | T|===========| | > |----------- Corp Net ------| NAT > |==========| |==========| | Client > A | | Client B | |==========| > |==========| After our work the other day to resolve the left=%defaultroute picking the incorrect IP address, I tried connecting to Host A from Client B, and this time everything worked properly. I still can't connect from Client B to Host B, or from Client A to Host A when going through the firewall. If I disconnect Client A from our network and connect it to a mobile broadband device, Client A can connect to Host A with no other configuration changes whatsoever; certificate authentication works; NAT traversal works, etc. So that leaves us with our firewall or our ISP configuration potentially causing the issues. Our ISP provides us MPLS connectivity between different locations, and they have a gateway which connects the entire network to the Internat. We've therefore got two layers of NAT between us and the Internet--not sure if that's a problem. I'm going to have a look more closely at our firewall and see if I can find any issues there that might be causing this. Still confused as to why incoming connections to our existing OpenSWAN endpoint are working fine, though. - -- Nels Lindquist <[email protected]> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNtK04ACgkQh6z5POoOLgSJsACfVIIgnSHiPo9MUiWH8cBfwN57 0A8An009D7LEPW4p5D2Y9s5/2Hgtr4YJ =E4At -----END PGP SIGNATURE----- _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
