On Wed, 27 Aug 2014, Nels Lindquist wrote:
1. Routing - With L2TP, the ppp[n] interface becomes active and
routing is set up automatically, possibly by pppd or xl2tpd? When I
bring up an IPSEC+XAUTH connection, the (Shrewsoft) client is
correctly getting one of the IP addresses specified in
rightaddresspool, the "leftsubnet" network is added to the local
client routing table and the client is able to ping the internal
private IP of the LibreSWAN endpoint. However, if I attempt to
connect to anything beyond the endpoint, I don't get any response
traffic from the other side.
Check /etc/sysctl.conf ?
Possibly, your VPN needs to do SNAT/MASQ if you're planning to go out on
the internet with this. But exclude whatever local RFC1918 you use
I verified my firewall rules and the client packets are being passed
to the internal interface, but a tcpdump shows only repeated arp
requests from the target IP asking for the location of the client,
with no answers provided. As the target can't find the client's
location, no response traffic is forthcoming. I feel that I've missed
a simple option somewhere...
Your network should be routing the addresspool IP's to your VPN server.
I've also noticed that when the tunnel is first brought up, no traffic
to the client IP goes through until packets are first received from
the client. eg, Bring up tunnel, try to ping client from server;
nothing. Ping server from client; success. Ping client from server
again, success.
That might be a client feature? Do you see encrypted packets leaving
the network when this happens?
2. Multinet - I'd prefer not to use leftsubnet=0.0.0.0/0 as I'd like
the local default routes, etc. to remain on the clients. However it
would be nice to provide access in some instances to multiple private
networks behind the endpoint. I tried replacing leftsubnet= with
leftsubnets= and variants of { 192.168.0.0/24 172.16.0.0/24 } or
"192.168.0.0/24, 172.16.0.0/24" as per the manpages/multinet samples I
could find, but in either instance when I attempt to replace the
connection I receive:
Support for multiple networks on the server side without using 0.0.0.0/0
is close to being supported but needs a little work still.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
