On Fri, 10 May 2024, Phil Nightowl wrote:
This was the case up until the last change (see above) - which I can roll back right away - but that did not work for me. I ended up with the public IP as source address in the xfrm policy installed by libreswan anyway. What I can further try is to use rightsubnet instead of rightaddresspool.
I do not understand how that could happen. eg you should see something like: src 100.64.13.3/32 dst 0.0.0.0/0 dir out priority 1753344 ptype main tmpl src 192.168.6.23 dst 193.110.157.148 proto esp reqid 16397 mode tunnel Where 100.64.13.3/32 is the IP I was assigned from their rightaddrespool, 192.168.6.23 is my LAN IP and 193.110.157.148 is the public IP of the vpn server.
I assume that rightsubnet differs from rightaddresspool basically in the fact that the IP is not assigned by the server/responder in the former case, but set in the ipsec.conf. How do I set it on the initiator?
Yes. On the initiator you set it as leftsubnet= (assuming you use left as local there)
Do I need to explicitly set up a virtual interface on the roadwarrior/initiator with some RFC1918 address, or does that libreswan take care of this itself?
You might have to configre the IP/32 on loopback yourself. It assumes the subnet is either local or reachable via routing.
And do I need to put a static leftsubnet= on the roadwarrior, identical to the rightsubnet= on the server?
Yes but isnt this the same question as above? because roadwarrior == initiator ? Note if you want to ask further help, you will need to send logs and config and not censor any IP addresses to make it possible for us to really see what is happening. Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan