On Fri, 10 May 2024, Phil Nightowl wrote:
This was the case up until the last change (see above) - which I can
roll back right away - but that did not work for me. I ended up with the
public IP as source address in the xfrm policy installed by libreswan
anyway. What I can further try is to use rightsubnet instead of
rightaddresspool.
I do not understand how that could happen.
eg you should see something like:
src 100.64.13.3/32 dst 0.0.0.0/0
dir out priority 1753344 ptype main
tmpl src 192.168.6.23 dst 193.110.157.148
proto esp reqid 16397 mode tunnel
Where 100.64.13.3/32 is the IP I was assigned from their
rightaddrespool, 192.168.6.23 is my LAN IP and 193.110.157.148
is the public IP of the vpn server.
I assume that rightsubnet differs from rightaddresspool basically in the
fact that the IP is not assigned by the server/responder in the former case,
but set in the ipsec.conf. How do I set it on the initiator?
Yes. On the initiator you set it as leftsubnet= (assuming you use left
as local there)
Do I need to
explicitly set up a virtual interface on the roadwarrior/initiator with some
RFC1918 address, or does that libreswan take care of this itself?
You might have to configre the IP/32 on loopback yourself. It assumes
the subnet is either local or reachable via routing.
And do I need to put a static leftsubnet= on the roadwarrior, identical to
the rightsubnet= on the server?
Yes but isnt this the same question as above? because roadwarrior == initiator ?
Note if you want to ask further help, you will need to send logs and
config and not censor any IP addresses to make it possible for us to
really see what is happening.
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
