Re: [Swan] having trouble getting libreswan and gre to work together

Mon, 28 Aug 2017 14:38:00 -0700 

Paul,
Thanks for responding. I copied this form from an explanation website. I realized after I posted it that because I was tunneling on top, I didn't need any of the subnet stuff. 


The problem turned out to be some subtle complexity of my situation and 
how iptables was being applied on the gre traffic. Once I got the right 
setting there, things worked fine.


Sorry for the bother,
jerry

On 08/27/2017 07:46 PM, Paul Wouters wrote:

On Tue, 22 Aug 2017, Jerry Scharf wrote:


I hope this isn't in the archives, they are not up right now.


It should be up? When were they down?


I am running on centos 7 and the repo version on libreswan. The system 
is running a 4.9 kernel, other than that it's stock.



The symptoms are as follow: I can ping back and forth from the left 
and right machines to the 172.19.10.x/32 subnets. With tcpdump I see 
the esp packets go back and forth. When I try to ping the far gre 
tunnel endpoint, I can see the edp packets with tcpdump but a tcpdump 
of the gre tunnel on the far end, nothing comes out. (I tried to do 
this at first with systemd-networkd setting up the gre tunnel. When 
that didn't work, I went back to basics.) I have iptables running, but 
it passes all traffic to/from 172.16.0.0/12.


Run "ipsec verify" ?

Ensure IP forwarding is enabled for the appropriate devices and/or
iptables rules?

Check rp_filter settings?

Ensure traffic from/to 172.19.10.1 and 172.19.10.2 is not accidentally
NATed.


here is my current config that gets included:

# generated by ansible libreswan.j2
conn cst_sgs_int
   leftid=@cstborder1
   left=e.f.g.h
   leftsourceip=172.19.10.1
#    leftprotoport=gre
   rightid=@sgsborder2
   right=a.b.c.d
   rightsourceip=172.19.10.2
   leftrsasigkey=...
   rightrsasigkey=...
#    rightprotoport=gre
   authby=rsasig

conn cst_sgs_intsubnet
   also=cst_sgs_int
   leftsubnet=172.19.10.1/32
   rightsubnet=172.19.10.2/32
   auto=start


A little strange to put subnet= and sourceip= in different conns,
but since the first one has no auto= line it is fine and ignored
and only the cst_sgs_intsubnet is started.

Paul


--
Jerry Scharf, Soundhound DevOps
"What could possibly go wrong?"
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to