On Tue, Dec 8, 2015 at 8:54 PM, Paul Wouters <[email protected]> wrote: > On Mon, 7 Dec 2015, Fabian van der Werf wrote: > >> Ok, I am trying to setup a tunnel between my home network and a virtual >> network of docker instances on a vps. I am running into some problems. The >> problem is that I cannot connect from >> docker instances on the VPS to my home network (the other way around works >> though) > > >> conn home >> left=37.97.133.227 >> leftid=37.97.133.227 >> leftsubnet=172.17.0.0/16 >> leftsourceip=172.17.0.1 >> >> right=84.104.37.209 >> rightid=84.104.37.209 >> rightsubnet=192.168.178.0/24 >> rightsourceip=192.168.178.1 >> >> authby=secret >> auto=start >> forceencaps=yes >> >> Both the router and the VPS/libreswan say that the tunnel is set up >> successful. >> >> So the current situation is that I am able to connect from my home network >> to the docker instances fine (e.g., a webservice). The problem is >> connections going in the other direction: >> from the docker instances to the home network. Below is my firewall >> configuration. But even with a disabled firewall I am unable to create >> connections from a docker instance to my home >> network. > > > [debug info] > > That all looks fine. > >> 000 Total IPsec connections: loaded 3, active 1 >> 000 >> 000 State Information: DDoS cookies not required, Accepting new IKE >> connections >> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), >> anonymous(0) >> 000 IPsec SAs: total(3), authenticated(3), anonymous(0) >> 000 >> 000 #10: "home":500 STATE_QUICK_R2 (IPsec SA established); >> EVENT_SA_REPLACE in 153s; newest IPSEC; eroute owner; isakmp#9; idle; >> import:admin initiate >> 000 #10: "home" [email protected] [email protected] >> [email protected] [email protected] ref=0 refhim=4294901761 Traffic: >> ESPout=0B ESPin=17KB! ESPmax=4194303B >> 000 #11: "home":500 STATE_MAIN_I4 (ISAKMP SA established); >> EVENT_SA_REPLACE in 1841s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; >> import:admin initiate >> 000 #2: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); >> EVENT_SA_REPLACE in 11008s; isakmp#1; idle; import:admin initiate >> 000 #2: "home" [email protected] [email protected] >> [email protected] [email protected] ref=0 refhim=4294901761 Traffic: >> ESPout=0B ESPin=0B! ESPmax=4194303B >> 000 #7: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); >> EVENT_SA_REPLACE in 20902s; isakmp#6; idle; import:admin initiate >> 000 #7: "home" [email protected] [email protected] >> [email protected] [email protected] ref=0 refhim=4294901761 Traffic: >> ESPout=0B ESPin=0B! ESPmax=4194303B > > > Why are there so many duplicate tunnels? You should have only one? Is > the tunnel continiously being re-setup ?
I have only one tunnel configured. Maybe this is caused by me playing with settings and reinitializing stuff over and over. I checked my router's log, I don't see the tunnel being reinitialized continuously. This is the list after a night idling: 000 #18: "home":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1654s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #13: "home":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 14357s; newest IPSEC; eroute owner; isakmp#12; idle; import:admin initiate 000 #13: "home" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B > Can you run tcpdump on the docker host to get an idea of what's > happening to the packets? Are they leaking plaintext? Are they > encrypted but ignored? With tcpdump I see packets going into the tunnel: root@37-97-133-227 ~]# tcpdump ip proto 50 & [1] 28937 [root@37-97-133-227 ~]# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ping 192.168.178.1 PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data. 09:51:13.945703 IP 37-97-133-227.colo.transip.net > 546825D1.cm-12-1a.dynamic.ziggo.nl: ESP(spi=0xc7274d41,seq=0x8), length 132 09:51:14.945339 IP 37-97-133-227.colo.transip.net > 546825D1.cm-12-1a.dynamic.ziggo.nl: ESP(spi=0xc7274d41,seq=0x9), length 132 ... Trying to connect to the router's web interface with netcat fails with a timeout. I don't see any unencrypted packets if I filter on tcpdump host 192.168.178.1. Not sure, if I should see them. Looks like as if my router is not handling these incoming packets? I don't see any dropped packets in my router log for the internal or external ip of the docker server Thanks for your help Fabian _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
