[strongSwan] no traffic without promisc mode

Tue Dec 16 20:42:40 CET 2014

Hi,

actually figured out
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/573461
However it looks like bridge code bug, not ufw

16.12.2014, 20:54, "Noel Kuntze" <noel at familie-kuntze.de>:
> Hello Denis,
>
> It is not necessary to set the interface to promiscuous mode for IPsec to work. I think this is a fault in your network configuration on the host
> or a side effect of the bridge. I think you should look at your bridge configuration and how your guests are assigned to it. Do you use the charon.interfaces_use or
> charon.interfaces_ignore lines in strongswan.conf? Maybe they play into it. You should maybe also look at any firewall rules you have, especially NAT or similiar techniques.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 14.12.2014 um 22:02 schrieb Denis Zinevich:
>>  Made few more tests:
>>  If I disable bridging mode (use just eth0) - everything works fine, eth0 is not in promisc mode
>>  By default when enabling bridging eth0 is in promisc mode and br0 - no. When I enable promisc mode on br0 - traffic goes fine.
>>  Captured packest with tcpdump -p (to avoid promisc mode set by tcpdump), so captured few pcap files (promisc on/off) checked them with wireshark - in both cases packets are totally identical (mac addresses, etc..)
>>  However interesting thing is - when br0 is not in promisc mode, I captured packets on two ifaces - br0 and eth0. And in this case I can see responces on eth0 but not on br0. So now I'm not even sure there's problem with tunnel and not with bridge.
>>
>>  13.12.2014, 19:33, "Denis Zinevich" <link at ngc.net.ua>:
>>>  Hello,
>>>
>>>  I've made test setup and was happy with it, it was on vmware virtual machine. When I did same on metal servers - I found that client connects successfully but traffic do not pass vpn gateway.
>>>  While trying to debug issue I used tcpdump and noticed that when I do "tcpdump -ni br0" traffic can pass through gateway.
>>>  Finally via "netstat -i" I found that on virtual machine br0 bridge iface by default is in promisc mode, while on hardware machines - no. Enabling/disabling promisc mode on metal server confirmed this. So question is: is promisc mode mandatory for ipsec to work or I'm missing something ? If it's mandatory why strongswan started do not put iface in promisc mode ? Or this is bridging nuance ?
>>>  Spent some time checking documentation but didn't find any answers yet.
>>>  Thanks in advance.
>>>
>>>  --
>>>  Denis
>>>  _______________________________________________
>>>  Users mailing list
>>>  Users at lists.strongswan.org
>>>  https://lists.strongswan.org/mailman/listinfo/users
>>  _______________________________________________
>>  Users mailing list
>>  Users at lists.strongswan.org
>>  https://lists.strongswan.org/mailman/listinfo/users
>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJUkH8nAAoJEDg5KY9j7GZYiawQAImOF2BC4fJ2C2jbWTmid0JW
>> Jfdu8XKXEt+mzHnRco0/Pv9eu8lT/78t+Zd60Lj0Fg6FQJwKhIZd62svLq6Rd36b
>> MM/DsdNdzUfXJdrR6o0HXsnMnzwx1CWLnV0ay7GhbGNaEbcQdzKQan7sdgsDU8b8
>> 1IPpN0c3mUDroH2kF0AtYfaGN6jqtx+3TJDT17aPnKE+Lzp3isx2b3jWp9nPikfj
>> DixTiFtQjGzmPoWQ/0zPjjWTtiZa2i8YfXTGPHTZYnPlVNfBXWyciWImnlt7zH2/
>> /ARVuy35Rg1Ze1KXvigYdCJrbGpZ21wuRJb1gbnufV/kpIcK3Hl9AaB4cp4T7C0k
>> voQ9IKBh8d7Blpqpfx33lJ7zXRb7M5JQsjO95bQJSN9IjOADFY1sNtbYx/u5oQEp
>> WuUpCgtry8NXBSvg++wEOcfPaaqZGm5hNE7SO4pECmiLjWpuD8wXkyHzb5Cix0W7
>> UmOF5TzT9Z9+qph77ROLXpX7MTDctCh9PIWNr5eMftgj/RjaXONw6q3wMlTi+7RM
>> CXNuqHX9UdOXE7GaeMTSxnI6lBLl3/iR92UI5Cl4tePBNLZMnE416SwmNDolQGnc
>> J5e2Qw3QgRLTCv+msNgaLa5XmFlFu1r/4GQz0Ro5ng1oR8X2oOoYpfi0gGeTcqUD
>> Kq91Yp7OYjAOz5+Lv4Cn
>> =Q5Nc
>> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users