[Swan] Tunnel is up, but getting udp port xxxx unreachable

[Brendan Kearney]

list members,

i am working on some tunnels, and in all cases i can get the tunnel to 
come up but replies seem to be rejected.  in my road warrior config, the 
connecting client is seen replying with ICMP udp port unreachable messages:

[root@vpn ipsec.d]# tcpdump -n -s0 -i bond0 host 192.168.152.50
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), snapshot length 262144 
bytes
13:07:31.560280 IP 192.168.152.50.54837 > 192.168.120.254.domain: 20531+ 
A? relp.bpk2.com. (31)
13:07:31.561120 IP 192.168.120.254.domain > 192.168.152.50.54837: 20531* 
1/0/0 A 192.168.120.4 (47)
13:07:31.561201 IP 192.168.152.50 > 192.168.120.254: ICMP 192.168.152.50 
udp port 54837 unreachable, length 83

the client, 192.168.152.50, is trying to lookup a logging destination 
against the DNS server.  The DNS server replies with the address.  then 
the ICMP port unreachable message.  i have a sneaking suspicion that the 
ICMP message is coming from the vpn server, and not the vpn client, 
because there is some config option i am missing.

i have forwarding turned on in sysctl, and ICMP redirects turned off.  
additionally, source route verification is set to "loose" 
(net.ipv4.conf.*.rp_filter = 2).

what am i missing that is causing these port unreachable messages?

VPN Server config:

# Remote Access Connection
conn rac
    # Local Definitions
    left=ipsec.bpk2.com
    leftsubnet=0.0.0.0/0
    # Remote Definitions
    right=%any
    rightid=%any
    rightaddresspool=192.168.152.50-192.168.152.99
    # Configuration Parameters
    auto=add
    authby=secret
    ikelifetime=24h
    salifetime=1h
    ikev2=insist
    rekey=yes
    fragmentation=yes
    # Dead Peer Detection
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

VPN Client config:

# Remote Access Connection
conn rac
    # Local Definitions
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftmodecfgclient=yes
    # Remote Definitions
    right=host.domain.tld
    rightid=192.168.152.254
    rightsubnet=0.0.0.0/0
    # Configuration Parameters
    auto=add
    authby=secret
    ikev2=insist
    ikelifetime=24h
    salifetime=1h
    rekey=yes
    fragmentation=yes
    # Dead Peer Detection
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

thanks in advance,

brendan kearney

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan