On Mon, 16 Aug 2021, brendan kearney wrote:
I have a road warrior config setup, and the tunnel establishes without issue. the problem i cannot track down is why the client never receives a reply (properly?). if i ping anything, or send any other traffic down the tunnel, i can see it on the "server" side. in the case of pings, i can see the response, but the client does not register the reply.
check on the client what "ipsec trafficstatus" says? If you see inBytes=0 then perhaps a a client side firewall is in the way. You can check /proc/net/xfrm_stat for non-zero listings indicating a problem with the IPsec policies or states.
there are no firewalls in the path or running locally on either the client or the server. where can i look for why traffic is not registering with the client (i believe its actually getting to the client)?
Check and /or disable rp_filter ?
conn rac # Connection Parameters auto=add authby=secret #type=transport ikev2=insist ikelifetime=24h salifetime=1h rekey=yes fragmentation=yes compress=yes # Dead Peer Detection dpddelay=30 dpdtimeout=120 dpdaction=clear # Local Definitions left=%defaultroute #leftsubnet=0.0.0.0/0 leftid=munin.bpk2.com leftmodecfgclient=yes # Remote Definitions right=router-ext.bpk2.com rightsubnet=0.0.0.0/0 # Pull Configs from Remote modecfgpull=yes
I don't see narrowing=yes in the cient config that would cause the client to narrow to the IP address it gets from the server address pool. So re-enable leftsubnet=0.0.0.0/0 and add narrowing=yes
server config: # Remote Access Connection conn rac # Configuration Parameters auto=add authby=secret #type=transport ikelifetime=24h salifetime=1h ikev2=insist rekey=yes fragmentation=yes compress=yes # Dead Peer Detection dpddelay=30 dpdtimeout=120 dpdaction=clear # Local Definitions left=192.168.152.254 leftsubnet=0.0.0.0/0 #leftid=ipsec.bpk2.com leftid=router-ext.bpk2.com # Remote Definitions right=%any rightid=%any #rightsubnet=vhost:%priv,%no #rightsubnet=0.0.0.0/0 rightaddresspool=192.168.152.50-192.168.152.99
If you are handing out IPs from the local LAN network, that does complicate routing a bit if you are trying to reach other resources in the LAN. If you only care about getting an IP and internet access that is okay. Otherwise I would recommend picking another range for the addresspool, like 100.64.0.0/16 as addresspool. That also clearly seperates NAT for the addresspool and your LAN. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
