Paul,
Thanks for responding. I copied this form from an explanation website. I
realized after I posted it that because I was tunneling on top, I didn't
need any of the subnet stuff.
The problem turned out to be some subtle complexity of my situation and
how iptables was being applied on the gre traffic. Once I got the right
setting there, things worked fine.
Sorry for the bother,
jerry
On 08/27/2017 07:46 PM, Paul Wouters wrote:
On Tue, 22 Aug 2017, Jerry Scharf wrote:
I hope this isn't in the archives, they are not up right now.
It should be up? When were they down?
I am running on centos 7 and the repo version on libreswan. The system
is running a 4.9 kernel, other than that it's stock.
The symptoms are as follow: I can ping back and forth from the left
and right machines to the 172.19.10.x/32 subnets. With tcpdump I see
the esp packets go back and forth. When I try to ping the far gre
tunnel endpoint, I can see the edp packets with tcpdump but a tcpdump
of the gre tunnel on the far end, nothing comes out. (I tried to do
this at first with systemd-networkd setting up the gre tunnel. When
that didn't work, I went back to basics.) I have iptables running, but
it passes all traffic to/from 172.16.0.0/12.
Run "ipsec verify" ?
Ensure IP forwarding is enabled for the appropriate devices and/or
iptables rules?
Check rp_filter settings?
Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
NATed.
here is my current config that gets included:
# generated by ansible libreswan.j2
conn cst_sgs_int
leftid=@cstborder1
left=e.f.g.h
leftsourceip=172.19.10.1
# leftprotoport=gre
rightid=@sgsborder2
right=a.b.c.d
rightsourceip=172.19.10.2
leftrsasigkey=...
rightrsasigkey=...
# rightprotoport=gre
authby=rsasig
conn cst_sgs_intsubnet
also=cst_sgs_int
leftsubnet=172.19.10.1/32
rightsubnet=172.19.10.2/32
auto=start
A little strange to put subnet= and sourceip= in different conns,
but since the first one has no auto= line it is fine and ignored
and only the cst_sgs_intsubnet is started.
Paul
--
Jerry Scharf, Soundhound DevOps
"What could possibly go wrong?"
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan