[strongSwan] Problems with multiple ARP responses using strongswan tunnel

Roelof Spijker RSpijker at inter8.co
Mon Oct 23 12:44:44 CEST 2017 

Hello,

I’m using a number of Strongswan tunnels to connect multiple networks. Overall this works fairly well, but I’m having an issue with multiple ARP responses that I’m not expecting. The network looks like this:

Net A (10.233.0.0/20) | (10.233.3.14) GWA (123.45.67.89) <===> (98.76.54.32) GWB (10.233.16.1) | Net B (10.233.16.0/20)

Additionally, the GWA machine acts as a VPN machine for external clients. VPN clients are given an IP in the 10.233.4.0\24 range. Connectivity works in general, but I’ve seen some strange intermittent issues. After some investigation, I believe that incorrect ARP responses are the culprit. Consider the following example:

Machine 1 on 10.233.3.17 (in Net A) pings 10.233.16.2 (in Net B) after having cleared its ARP cache
On the gateway machine (GWA) I then see the following in tcpdump arp –i any -nn:
12:14:05.166468 ARP, Request who-has 10.233.16.2 tell 10.233.3.17, length 42
12:14:05.166492 ARP, Request who-has 10.233.16.2 tell 10.233.3.17, length 42
12:14:05.166585 ARP, Reply 10.233.16.2 is-at 56:16:xx:xx:xx:a4, length 28
12:14:05.166645 ARP, Reply 10.233.16.2 is-at 56:16:xx:xx:xx:5e, length 28

So the request comes in twice, once on each interface, and there are 2 responses, with the MAC address corresponding to each interface. This is problematic, because the requesting machine can’t necessarily reach the second MAC address. At this point I should mention that the environment is virtualized and my understanding is becoming incomplete. In the sense that I believe that both adapters on the GWA machine are connected to the same virtual network and only their subnets separate them. However, depending on which ARP response comes in last and thus determines the entry that goes in the ARP table on the source host, the ping does or does not work.

I’ve tried to set up arp_filter on the GWA host, to no avail. I’m not sure why it would reply with the MAC address of the interface that has the external IP assigned, other than there existing routes that use the external device. Because that’s how the traffic is tunneled of course. In my opinion farp should reply with the actual mac address of the interface that is used on the left side of the tunnel.

I can’t imagine that others have not ran into the same issue, any help would be appreciated.

Kind regards,
Roelof Spijker

More information about the Users mailing list