Discussion:
[strongSwan] farp and ndp proxy not working
Robert Dyck
2018-11-19 23:48:17 UTC
Permalink
Since upgrading the strongswan server using the Fedora upgrade method ( 28 to
29, strongswan now 5.7.1 ) I have no success sending traffic through the VPN.
Before sending huge amounts of data to the list I am looking for suggestions
to help me debug this myself.

The configuration hasn't changed. My rather simple road warrior setup which
had been working now doesn't. The tunnel comes up without errors. I see the
ESP keep alive traffic. To me everything looks good such as statusall, routing
table, iptables and there are no error logs. When I send pings from the RW I
see the spike in ESP traffic which does not seem to get routed.

The heart of the issue seems to be farp and ndp proxy. When contacting an IP
address the system first tries to associate it with an interface using arp or
address solicitation in the case of ipv6. With Wireshark I see only requests
but no responses. Farp does appear on the list of of plugins and for ipv6 I
have a modified _updown that configures ndp proxy. Ndp proxy is enabled in
sysctl for all and for the specific interface. There is only one interface. I
checked forwarding in sysctl as well.

Suggestions? which debug configuration to use?
Robert Dyck
2018-11-21 20:00:31 UTC
Permalink
Update
I added a rightsubnet entry at the server and brought up the tunnel. On the RW
I added an IP on the subnet. I was able to ping the IP address from the
server.
Post by Robert Dyck
Since upgrading the strongswan server using the Fedora upgrade method ( 28
to 29, strongswan now 5.7.1 ) I have no success sending traffic through the
VPN. Before sending huge amounts of data to the list I am looking for
suggestions to help me debug this myself.
The configuration hasn't changed. My rather simple road warrior setup which
had been working now doesn't. The tunnel comes up without errors. I see the
ESP keep alive traffic. To me everything looks good such as statusall,
routing table, iptables and there are no error logs. When I send pings from
the RW I see the spike in ESP traffic which does not seem to get routed.
The heart of the issue seems to be farp and ndp proxy. When contacting an IP
address the system first tries to associate it with an interface using arp
or address solicitation in the case of ipv6. With Wireshark I see only
requests but no responses. Farp does appear on the list of of plugins and
for ipv6 I have a modified _updown that configures ndp proxy. Ndp proxy is
enabled in sysctl for all and for the specific interface. There is only one
interface. I checked forwarding in sysctl as well.
Suggestions? which debug configuration to use?
Loading...