Thanks for the reply. For testing, the client would be natively on the 192.168.1.0/24 network if wired, or the 192.168.24.0/24 network if wireless, so the IP ranges and subnet for the IPSec connection are on a separate network.
I do have proxy arp configured on the VPN box, already. Not sure if that clobbers things. I am running BGP on the box too, and injecting the route to the 192.168.152.0/24 network via the on-wire interface. Would dynamic routing cause any interference? Thanks and happy new year, Brendan On Thu, Dec 29, 2022, 6:44 PM Paul Wouters <[email protected]> wrote: > On Wed, 21 Dec 2022, Brendan Kearney wrote: > > > Subject: [Swan] Tunnel is up, but getting udp port xxxx unreachable > > > connecting client is seen replying with ICMP udp port unreachable > messages: > > > VPN Server config: > > conn rac > > leftsubnet=0.0.0.0/0 > > right=%any > > rightaddresspool=192.168.152.50-192.168.152.99 > > [...] > > > VPN Client config: > > conn rac > > left=%defaultroute > > leftsubnet=0.0.0.0/0 > > leftmodecfgclient=yes > > # Remote Definitions > > right=host.domain.tld > > rightid=192.168.152.254 > > rightsubnet=0.0.0.0/0 > > You are handing out IPs in the same /24 as the LAN itself? That might > cause problems if machines in the LAN are a true /24. You would need > proxyarp and what not and it complicates things. > > I'd recommend splitting of the addresspool into a real seperate network. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
