Re: [Swan] Roadwarriors Setup With Routing

Sat, 28 Oct 2017 02:15:49 -0700 

On Wed, 25 Oct 2017, Nirvana wrote:


This is first time I have used Libreswan so if I misunderstand anything, please 
let me know. I am attempting to
setup something similar to a roadwarriors configuration. It looks like this:


mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static IP) NAT 
<---------> server <-------->
internal gateway <--------> internal networks

My goal is to have the mobile client be able to communicate with the multiple 
internal networks by utilizing
static routes. So far I have only been successful getting the client to be able 
to talk to one internal network at
time. I haven't had any authentication issues.



Here is the configuration I have :

Server:
conn roadwarriors2
        ikev2=insist
        fragmentation=yes
        left=192.168.9.11
        leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24}
        leftcert=server
        leftid=external_static_ip #real IP removed
        leftxauthserver=yes
        leftmodecfgserver=yes
        right=%any
        rightca=%same
        rightaddresspool=192.168.9.12-192.168.9.14


I am not sure if we support multiple subnets with addresspool. That
requires that three connections are instantiated to the CP assigned
IP on the client.


I have been adding static routes on the client after the VPN is made (e.g. ip 
route add 192.168.3.0/24 dev vti9).
It appears to be the case that whatever network is listed first under 
leftsubnets directive on the server is the
only network the client can communicate with.


Yes, my guess is that you will only get one IPsec SA.


Regarding the vti9 already exists entry: it appears that Libreswan doesn't 
remove the interface when exiting which
is why I think it is "in use". I have been able to remove it manually using "ip link 
delete vti9".


It's a side-effect of us not fully supporting this scenario. You would
have to put in vti-sharing=yes and it should stop showing errors.


Does anyone have any suggestions? Am I utilizing Libreswan wrong and instead 
should be running L2TP over
Libreswan? If you need more information, I will gladly provide it.


No don't do L2TP

You could either try splitting your conn into 3, and setting up 3
independent tunnels.

Or you can set up one for 0.0.0.0/0 on the server, install firewall rules
there to limit traffic to the three networks, and give the client a custom
leftupdown= script that only routes those 3 subnets into the single VTI
device.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to