[strongSwan] no traffic without promisc mode

Noel Kuntze noel at familie-kuntze.de
Tue Dec 16 19:51:22 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Denis,

It is not necessary to set the interface to promiscuous mode for IPsec to work. I think this is a fault in your network configuration on the host
or a side effect of the bridge. I think you should look at your bridge configuration and how your guests are assigned to it. Do you use the charon.interfaces_use or
charon.interfaces_ignore lines in strongswan.conf? Maybe they play into it. You should maybe also look at any firewall rules you have, especially NAT or similiar techniques.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 14.12.2014 um 22:02 schrieb Denis Zinevich:
> Made few more tests:
> If I disable bridging mode (use just eth0) - everything works fine, eth0 is not in promisc mode
> By default when enabling bridging eth0 is in promisc mode and br0 - no. When I enable promisc mode on br0 - traffic goes fine.
> Captured packest with tcpdump -p (to avoid promisc mode set by tcpdump), so captured few pcap files (promisc on/off) checked them with wireshark - in both cases packets are totally identical (mac addresses, etc..)
> However interesting thing is - when br0 is not in promisc mode, I captured packets on two ifaces - br0 and eth0. And in this case I can see responces on eth0 but not on br0. So now I'm not even sure there's problem with tunnel and not with bridge.
>
> 13.12.2014, 19:33, "Denis Zinevich" <link at ngc.net.ua>:
>> Hello,
>>
>> I've made test setup and was happy with it, it was on vmware virtual machine. When I did same on metal servers - I found that client connects successfully but traffic do not pass vpn gateway.
>> While trying to debug issue I used tcpdump and noticed that when I do "tcpdump -ni br0" traffic can pass through gateway.
>> Finally via "netstat -i" I found that on virtual machine br0 bridge iface by default is in promisc mode, while on hardware machines - no. Enabling/disabling promisc mode on metal server confirmed this. So question is: is promisc mode mandatory for ipsec to work or I'm missing something ? If it's mandatory why strongswan started do not put iface in promisc mode ? Or this is bridging nuance ?
>> Spent some time checking documentation but didn't find any answers yet.
>> Thanks in advance.
>>
>> --
>> Denis
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUkH8nAAoJEDg5KY9j7GZYiawQAImOF2BC4fJ2C2jbWTmid0JW
Jfdu8XKXEt+mzHnRco0/Pv9eu8lT/78t+Zd60Lj0Fg6FQJwKhIZd62svLq6Rd36b
MM/DsdNdzUfXJdrR6o0HXsnMnzwx1CWLnV0ay7GhbGNaEbcQdzKQan7sdgsDU8b8
1IPpN0c3mUDroH2kF0AtYfaGN6jqtx+3TJDT17aPnKE+Lzp3isx2b3jWp9nPikfj
DixTiFtQjGzmPoWQ/0zPjjWTtiZa2i8YfXTGPHTZYnPlVNfBXWyciWImnlt7zH2/
/ARVuy35Rg1Ze1KXvigYdCJrbGpZ21wuRJb1gbnufV/kpIcK3Hl9AaB4cp4T7C0k
voQ9IKBh8d7Blpqpfx33lJ7zXRb7M5JQsjO95bQJSN9IjOADFY1sNtbYx/u5oQEp
WuUpCgtry8NXBSvg++wEOcfPaaqZGm5hNE7SO4pECmiLjWpuD8wXkyHzb5Cix0W7
UmOF5TzT9Z9+qph77ROLXpX7MTDctCh9PIWNr5eMftgj/RjaXONw6q3wMlTi+7RM
CXNuqHX9UdOXE7GaeMTSxnI6lBLl3/iR92UI5Cl4tePBNLZMnE416SwmNDolQGnc
J5e2Qw3QgRLTCv+msNgaLa5XmFlFu1r/4GQz0Ro5ng1oR8X2oOoYpfi0gGeTcqUD
Kq91Yp7OYjAOz5+Lv4Cn
=Q5Nc
-----END PGP SIGNATURE-----




More information about the Users mailing list