Help with new strongSwan test
48 views
Skip to first unread message
Bas van Dijk
Aug 29, 2017, 7:38:51 PM8/29/17
to nix-devel
I've created a PR that adds a more modern alternative to the existing
NixOS strongswan module:
https://github.com/NixOS/nixpkgs/pull/27958
Although the new module works on our company VPN I would also like to
add a NixOS test to ensure it keeps working. I've mimicked one of the
tests from the strongswan project:
https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-test/nixos/tests/strongswan-swanctl.nix
The problem is that I can't seem to ping alice from carol. Any
networking experts out here that can help me debug this?
Cheers,
Bas
NixOS strongswan module:
https://github.com/NixOS/nixpkgs/pull/27958
Although the new module works on our company VPN I would also like to
add a NixOS test to ensure it keeps working. I've mimicked one of the
tests from the strongswan project:
https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-test/nixos/tests/strongswan-swanctl.nix
The problem is that I can't seem to ping alice from carol. Any
networking experts out here that can help me debug this?
Cheers,
Bas
aszlig
Aug 29, 2017, 8:33:45 PM8/29/17
to Bas van Dijk, nix-devel
On Wed, Aug 30, 2017 at 01:38:30AM +0200, Bas van Dijk wrote:
> The problem is that I can't seem to ping alice from carol. Any
> networking experts out here that can help me debug this?
This is a packet filtering issue and while you allow access for IKE, you
> The problem is that I can't seem to ping alice from carol. Any
> networking experts out here that can help me debug this?
also need to allow ESP packets (iptables -p 50) so that ipsec packets
get through.
a!
--
aszlig
Universal dilettante
Bas van Dijk
Aug 29, 2017, 8:53:45 PM8/29/17
to aszlig, nix-devel
Thanks aszlig, something similar was suggested[1] on the strongSwan mailinglist.
I try to figure out where to set the "iptables -p 50" command tomorrow
and report back if that did the trick.
Bas
[1] https://lists.strongswan.org/pipermail/users/2017-August/011437.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iF4EAREIAAYFAlmmB+cACgkQ0OvQ7IwtyWFRfQEArvkuYLU8UesVkGZ/CjnCPkzv
> 4toH+yrA0j7Lv8gDj2IA+wfNnBuxh+FRkqrhGZOYQk+T6w76ALUwYxjyzNw/Lh1/
> =9yuU
> -----END PGP SIGNATURE-----
>
I try to figure out where to set the "iptables -p 50" command tomorrow
and report back if that did the trick.
Bas
[1] https://lists.strongswan.org/pipermail/users/2017-August/011437.html
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iF4EAREIAAYFAlmmB+cACgkQ0OvQ7IwtyWFRfQEArvkuYLU8UesVkGZ/CjnCPkzv
> 4toH+yrA0j7Lv8gDj2IA+wfNnBuxh+FRkqrhGZOYQk+T6w76ALUwYxjyzNw/Lh1/
> =9yuU
> -----END PGP SIGNATURE-----
>
aszlig
Aug 29, 2017, 9:00:12 PM8/29/17
to Bas van Dijk, nix-devel
On Wed, Aug 30, 2017 at 02:53:24AM +0200, Bas van Dijk wrote:
> I try to figure out where to set the "iptables -p 50" command tomorrow
> and report back if that did the trick.
Try the following for moon and carol:
> I try to figure out where to set the "iptables -p 50" command tomorrow
> and report back if that did the trick.
networking.firewall.extraCommands = "iptables -I INPUT -p 50 -j ACCEPT";
Bas van Dijk
Aug 30, 2017, 5:51:14 AM8/30/17
to aszlig, nix-devel
Thanks aszlig, that did the trick!
I've now merged the test in my PR: https://github.com/NixOS/nixpkgs/pull/27958
It's now ready to be reviewed.
Bas
> miXZMoEnsyUFYW+iKBgA/38WJCWISz6RmkKovduXRS49l/1Mk772877vCjey7/yP
> =XzK/
> -----END PGP SIGNATURE-----
>
I've now merged the test in my PR: https://github.com/NixOS/nixpkgs/pull/27958
It's now ready to be reviewed.
Bas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iF4EAREIAAYFAlmmDhoACgkQ0OvQ7IwtyWGmmwD/Vn98RtVXVw9b59nUx7kUHl5s
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> miXZMoEnsyUFYW+iKBgA/38WJCWISz6RmkKovduXRS49l/1Mk772877vCjey7/yP
> =XzK/
> -----END PGP SIGNATURE-----
>
Bas van Dijk
Sep 6, 2017, 4:57:19 AM9/6/17
to aszlig, nix-devel
I'm now working on another NixOS strongswan test where two roadwarriors alice and carol connect to a gateway moon and try to ping each other. As described[1] on the strongswan mailinglist the pings fail.
Any ideas what I'm doing wrong?
Bas
Reply all
Reply to author
Forward
0 new messages