Re: [Swan] Road Warrior config

Mon, 30 Aug 2021 13:40:29 -0700 

On Mon, 30 Aug 2021, brendan kearney wrote:


On Mon, Aug 16, 2021, 2:05 PM brendan kearney <[email protected]> wrote:
      I have a road warrior config setup, and the tunnel establishes without
      issue.  the problem i cannot track down is why the client never
      receives a reply (properly?).  if i ping anything, or send any other
      traffic down the tunnel, i can see it on the "server" side.  in the
      case of pings, i can see the response, but the client does not
      register the reply.  there are no firewalls in the path or running
      locally on either the client or the server.  where can i look for why
      traffic is not registering with the client (i believe its actually
      getting to the client)?


Are you also sure there is no NAT happening for the traffic? My guess is
because the below config is going to use the client public IP, than you
are accidentally NATing things.


      client config:
      # Remote Access Connection
      conn rac
          # Connection Parameters
          auto=add
          authby=secret
          #type=transport
          ikev2=insist
          ikelifetime=24h
          salifetime=1h
          rekey=yes
          fragmentation=yes
          compress=yes
          # Dead Peer Detection
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear
          # Local Definitions
          left=%defaultroute
          #leftsubnet=0.0.0.0/0
          leftid=munin.bpk2.com
          leftmodecfgclient=yes
          # Remote Definitions
          right=router-ext.bpk2.com
          rightsubnet=0.0.0.0/0
          # Pull Configs from Remote
          modecfgpull=yes


I am missing leftsubnet=0.0.0.0/0 and narrowing=yes to ensure the client
gets a dynamic IP from the server's addresspool.


      server config:
      # Remote Access Connection
      conn rac
          # Configuration Parameters
          auto=add
          authby=secret
          #type=transport
          ikelifetime=24h
          salifetime=1h
          ikev2=insist
          rekey=yes
          fragmentation=yes
          compress=yes


Don't use compress=yes


          # Dead Peer Detection
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear
          # Local Definitions
          left=192.168.152.254
          leftsubnet=0.0.0.0/0
          #leftid=ipsec.bpk2.com
          leftid=router-ext.bpk2.com
          # Remote Definitions
          right=%any
          rightid=%any
          #rightsubnet=vhost:%priv,%no
          #rightsubnet=0.0.0.0/0
          rightaddresspool=192.168.152.50-192.168.152.99
          # Push Configs to Remote
          modecfgdns=192.168.120.254
          modecfgdomains=bpk2.com


Ensure that 192.168.152.50-192.168.152.99 would be properly routed and
our NATed depending on what you want to accomplish. If you just want
the vpn client to get "internet access", you need to SNAT or MASQUERADE
the traffic with these source IPs.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to