Re: [Swan] LibreSwan VPN Established | No Data Passing Through

[Nick Howitt]

On 23/11/2022 05:03, Kumar P S Udai wrote:
Hi Paul
This was slightly confusing, because when I try to ping the HO(Europa) 
machin's private IP (192.168.1.1), I get a destination host unreachable 
message, all the while there was no change in the ESPout which remained 
at 0. However when I tried to ping a particular machine within the HO 
Lan such as 19.168.1.10, there is no reply, but the ESPout is going up 
1K, 3K, 5K and so on...

Thanks, Best Regards

Udaiai
Check your firewalling in your libreswan machines. I use the following:
    # Generic IPsec rules - normally you don't need the last two
    iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
    iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
    iptables -I POSTROUTING -t nat -m policy --dir out --pol ipsec  -j 
ACCEPT

Return traffic is allowed by default.

Also, when pinging 192.168.1.10, be careful if it is a Windoze box. The 
Windoze firewall will often be set up to block pings from outside its 
own LAN and your pings will have a source IP from the other LAN. In that 
case, you either temporarily stop the firewall or set up a rule to allow 
the remote LAN.

Nick

On Sun, 20 Nov 2022 at 04:54, Paul Wouters <p...@nohats.ca 
<mailto:p...@nohats.ca>> wrote:

    Can you ping from that machine using its internal IP and see if
    ESPout increases ?

    Sent using a virtual keyboard on a phone

    On Nov 19, 2022, at 13:14, Kumar P S Udai <kumar.u...@zuwissen.com
    <mailto:kumar.u...@zuwissen.com>> wrote:

    
    Hi Paul
    I tried the above step and a few other possibilities too, but
    there is no change in result

    000 #8: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established
    IKE SA); EVENT_SA_REKEY in 26251s; newest ISAKMP; idle;
    000 #9: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
    established); EVENT_SA_REKEY in 26637s; newest IPSEC; eroute
    owner; isakmp#8; idle;
    000 #9: "PLSUBNET" esp.1ef8c43f@9.8.7.6
    <mailto:esp.1ef8c43f@9.8.7.6> esp.1e4d5a5@10.10.128.100
    <mailto:esp.1e4d5a5@10.10.128.100> tun.0@9.8.7.6
    <mailto:tun.0@9.8.7.6> tun.0@10.10.128.100
    <mailto:tun.0@10.10.128.100> Traffic: ESPin=5KB ESPout=0B! ESPmax=0B

    I use nftables on the machine and I added the equivalent command,
    but to no avail.  Also for an experiment's sake, I disabled the
    NAT function on that machine and kept only the filter ruleset, but
    even that did not change anything.

    Thanks, best regards

    Udai

    On Fri, 18 Nov 2022 at 21:37, Paul Wouters <p...@nohats.ca
    <mailto:p...@nohats.ca>> wrote:

        On Fri, 18 Nov 2022, Kumar P S Udai wrote:

        > One is at the HO establishing connection to three other
        branch offices, while all three are
        > getting connected, at one branch office the public IP is not
        configured on the machine directly,
        > but on an external vendor's router.  Initially I had trouble
        establishing connection to this unit,
        > but after a lot of reading and config change, the connection
        is getting established now, but I
        > cannot ping or reach each other.  Attaching the config
        details FYI please.  Would appreciate any
        > help from the community.

        > ON MACHINE PLUTO

        > 000 #45: "PLSUBNET" esp.716c376b@9.8.7.6
        <mailto:esp.716c376b@9.8.7.6> esp.fdc71b0a@10.10.128.100
        <mailto:esp.fdc71b0a@10.10.128.100> tun.0@9.8.7.6
        <mailto:tun.0@9.8.7.6>
        > tun.0@10.10.128.100 <mailto:tun.0@10.10.128.100> Traffic:
        ESPin=1KB ESPout=0B! ESPmax=0B

        Note traffic coming in, but no traffic going out.

        > ON MACHINE EUROPA

        > 000 #6276: "PLUTOSUBNET" esp.fdc71b0a@1.2.3.4
        <mailto:esp.fdc71b0a@1.2.3.4> esp.716c376b@9.8.7.6
        <mailto:esp.716c376b@9.8.7.6> tun.0@1.2.3.4
        <mailto:tun.0@1.2.3.4> tun.0@9.8.7.6 <mailto:tun.0@9.8.7.6>
        > Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
        > 000

        traffic going out, but no traffic coming in.

        I suspect that on machine PLUTO, there is a NAT rule that ends
        up NATing
        the traffic before it gets to be IPsec'ed

        On PLUTO try:

        iptables -I FORWARD -t nat -s 192.168.14.0/24
        <http://192.168.14.0/24>  -d 192.168.1.0/24
        <http://192.168.1.0/24> -j RETURN

        Paul


_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan