Hi. I'm trying to set up swan. Networking has always been my weak
skillset. I'm posting the config at the bottom, but know this is for
AWS EC2 VPCs, I've disabled source/dest check, the sysctl items are
correct. The idea is for the VPN to be used to connect to 172.xx IP
addresses, and the VPN to not interfere otherwise.
For testing, I'm using (very weak) PSK. It works to get the VPN up so
I can get the routing sorted.
I'd like the networking configuration to be on the swan side only. I
know I need to use rightaddresspool to hand out a VPN IP to my road
warriors, but that means I can't use rightsubnet- which is what seems
correct to limit to the 172.xx range. (yes, it's slightly more
specific than 172, using shorthand).
Here's the config.
$ cat /etc/ipsec.conf
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
protostack=netkey
conn xauth-psk
authby=secret
pfs=no
auto=add
rekey=no
forceencaps=yes
left=172.31.xx.yy # this is my server's internal IP and is correct
rightaddresspool=172.31.47.1-172.31.47.254
right=%any
rightid=%fromcert
rightrsasigkey=%cert
modecfgdns1=172.31.0.2
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike-frag=yes
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
