[Swan] Somehow the ip addresses are changing in the vpn tunnel

Tue, 08 May 2018 08:26:06 -0700 

Using the Wiki Host-to-host and subnet-to-subnet vpn.
My two gateway hosts are running
Left:    Fedora 27 (libreswan 3.23-1)
Right:   Centos 7.4 (libreswan 3.20-5)

My 2 config files are:
Left & Right identical files
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn mysubnet
        also=mytunnel
        leftsubnet=10.20.0.0/24
        leftsourceip=10.20.0.1
        rightsubnet=10.20.1.0/24
        rightsourceip=10.20.1.1

conn mytunnel
        leftid=@north
        left=209.180.19.125
        leftrsasigkey=0sAwEAAd...beWau7c=

        rightid=@south
        right=208.126.137.239
        rightrsasigkey=0sAw...rFkWJUsz3vT

        authby=rsasig
        auto=add



Tunnels come up , ipsec status left shows;
000 Total IPsec connections: loaded 2, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections 
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000
000 #6: "mysubnet":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27694s; isakmp#5; idle; import:not set 000 #6: "mysubnet" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #7: "mysubnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27003s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate 000 #7: "mysubnet" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=52KB ESPout=6KB! ESPmax=4194303B 000 #5: "mytunnel":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2494s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #8: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26947s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate 000 #8: "mytunnel" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 
000
000 Bare Shunt list:
000


And right is similar:
000 Total IPsec connections: loaded 4, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections 
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000
000 #11: "mysubnet":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27618s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate 000 #11: "mysubnet" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=6KB ESPout=59KB! ESPmax=4194303B 000 #10: "mysubnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26916s; isakmp#9; idle; import:admin initiate 000 #10: "mysubnet" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #9: "mysubnet":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1925s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #12: "mytunnel":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27623s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate 000 #12: "mytunnel" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 
000
But nothing is actually working, no pings, no ssh anything between the 2 sites. 
I've done some tcpdumps (tcpdump -nni enp1s0f1 icmp)
pinging from 10.20.0.66 (behind left) to 10.20.1.10 (behind right) yields something very strange: 
The right tcpdump shows:
2:08:22.898118 IP 10.20.0.66 > 10.20.1.10: ICMP echo request, id 7793, seq 6, length 64 22:08:22.898285 IP 10.20.1.10 > 10.20.0.66: ICMP echo reply, id 7793, seq 6, length 64
like you would expect.  So packets are getting from the left to the right correctly, and are being sent back to the left. 

But at the same time the left tcpdump is showing:
tcpdump -nni ppp0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 22:10:05.698183 IP 8.0.1.10 > 10.20.0.66: ICMP echo request, id 11456, seq 902, length 64 22:10:06.348152 IP 8.0.1.10 > 10.20.0.66: ICMP echo reply, id 7793, seq 107, length 64
Notice the IP address have changed from 10.20.1.10 to 8.0.1.10 when packets are arriving back. 

Similar results occur with every ping combination of host and gateway pings.

What could be changing the IP addresses?



More details of the 2 connections.
Left is a dsl connection that uses pppoe running on the left host.
Right is a direct fiber connection with no pppoe or anything.

My ifconfigs are
Left
ifconfig
enp2s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.0.2  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::a236:9fff:fe83:5e60  prefixlen 64 scopeid 0x20<link>
        ether a0:36:9f:83:5e:60  txqueuelen 1000 (Ethernet)
        RX packets 81767715  bytes 38091700150 (35.4 GiB)
        RX errors 0  dropped 240655  overruns 0  frame 0
        TX packets 64270846  bytes 7531472566 (7.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device memory 0xfea80000-feafffff

enp2s0f1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether a0:36:9f:83:5e:61  txqueuelen 1000 (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device memory 0xfe900000-fe97ffff

enp2s0f2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether a0:36:9f:83:5e:62  txqueuelen 1000 (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device memory 0xfe880000-fe8fffff

enp2s0f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.20.0.1  netmask 255.255.255.0  broadcast 10.20.0.255
        inet6 fe80::a236:9fff:fe83:5e63  prefixlen 64 scopeid 0x20<link>
        ether a0:36:9f:83:5e:63  txqueuelen 1000 (Ethernet)
        RX packets 49789371  bytes 5314457511 (4.9 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 115234136  bytes 118993419302 (110.8 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device memory 0xfe800000-fe87ffff

enp2s0f3:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.20.64.1  netmask 255.255.255.0  broadcast 10.20.64.255
        ether a0:36:9f:83:5e:63  txqueuelen 1000 (Ethernet)
        device memory 0xfe800000-fe87ffff

enp3s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 6c:62:6d:52:f6:1e  txqueuelen 1000 (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2769253  bytes 82672447634 (76.9 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2769253  bytes 82672447634 (76.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492
        inet 209.180.19.125  netmask 255.255.255.255 destination 207.109.2.20 
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 69690051  bytes 26269295527 (24.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56286680  bytes 5288269919 (4.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0


route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
default         0.0.0.0         0.0.0.0         U 0      0        0 ppp0
10.20.0.0       0.0.0.0         255.255.255.0   U 100    0        0 enp2s0f3
10.20.1.0       0.0.0.0         255.255.255.0   U 0      0        0 ppp0
10.20.64.0      0.0.0.0         255.255.255.0   U 100    0        0 enp2s0f3
192.168.0.0     0.0.0.0         255.255.255.0   U 100    0        0 enp2s0f0
stpl-dsl-gw20.s 0.0.0.0         255.255.255.255 UH 0      0        0 ppp0




Right:
np1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 208.126.137.239  netmask 255.255.255.0 broadcast 208.126.137.255 
        inet6 fe80::215:17ff:fe6d:35fe  prefixlen 64 scopeid 0x20<link>
        ether 00:15:17:6d:35:fe  txqueuelen 1000 (Ethernet)
        RX packets 18577652  bytes 2551903161 (2.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31662614  bytes 47358291682 (44.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device interrupt 29  memory 0xfea80000-feaa0000

enp1s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 10.20.1.1  netmask 255.255.255.255  broadcast 10.20.1.1
        inet6 fe80::215:17ff:fe6d:35ff  prefixlen 64 scopeid 0x20<link>
        ether 00:15:17:6d:35:ff  txqueuelen 1000 (Ethernet)
        RX packets 31923827  bytes 47457739354 (44.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18693201  bytes 2137620503 (1.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device interrupt 33  memory 0xfea20000-fea40000

enp1s0f1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.20.128.1  netmask 255.255.255.255 broadcast 10.20.128.1
        ether 00:15:17:6d:35:ff  txqueuelen 1000 (Ethernet)
        device interrupt 33  memory 0xfea20000-fea40000

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 987  bytes 151163 (147.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 987  bytes 151163 (147.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0 broadcast 192.168.122.255
        ether 52:54:00:a7:ad:4b  txqueuelen 1000 (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0


route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface default         gateway         0.0.0.0         UG 0      0        0 enp1s0f0 10.20.0.0       gateway         255.255.255.0   UG 0      0        0 enp1s0f0 
10.20.1.0       0.0.0.0         255.255.255.0   U 0      0        0 enp1s0f1
10.20.128.0     0.0.0.0         255.255.255.0   U 0      0        0 enp1s0f1
link-local      0.0.0.0         255.255.0.0     U 0      0        0 enp1s0f1
link-local      0.0.0.0         255.255.0.0     U 1003   0        0 enp1s0f0
link-local      0.0.0.0         255.255.0.0     U 1004   0        0 enp1s0f1
192.168.122.0   0.0.0.0         255.255.255.0   U 0      0        0 virbr0
208.126.137.0   0.0.0.0         255.255.255.0   U 0      0        0 enp1s0f0
The firewalls are both running shorewall and I believe the configurations are correct, but can include those files is needed.
I've been working on this for a couple days, and nothing seems to make sense. 
Thanks,
Brian
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to