Re: [Swan] net-to-net for road warriors

[Paul Wouters]

On Tue, 22 Jan 2019, Alex wrote:

Subject: [Swan] net-to-net for road warriors

Hi, I have a fedora29 system with libreswan-3.27-1.fc29.x86_64 and
shorewall and having some difficulty with building a net-to-net VPN to
a similar system with a dynamic IP.

If I configure leftsubnet=192.168.6.0/24 I can't reach any of the
other networks on the server side.

You need to add a passthrough for the local traffic as explained at:
https://libreswan.org/wiki/Subnet_extrusion

eg:

conn passthrough
        left=%defaultroute
        right=0.0.0.0
        leftsubnet=192.168.6.0/2
        authby=never
        type=passthrough
        auto=route

If I configure leftsubnet=0.0.0.0/0
I can't reach the other side at all. Should libreswan also configure
the routes necessary on the server side, or do I need to somehow add
them manually?

If you add leftsourceip= and rightsourceip= then all routes should be
added automatically.

I'd also like to be able to reach the VPN server itself as well. When
I try, shorewall rejects it, because I don't think it's being tunneled
through the VPN:

Using leftsourceip/rightsourceip also addresses that problem, as the
added route will ensure you are using the private and not the public
IP as source address for the remote subnet.

Server side:
conn wyckoff
   left=68.195.193.42
   leftcert=orion
   leftid=@orion

   leftsendcert=always
   leftsubnet=192.168.6.0/24
   leftrsasigkey=%cert
   right=%any
   rightaddresspool=192.168.6.70-192.168.6.80

You want an addresspool?? That is not the same as net-to-net you
described above. So if you want a roadwarrior to a remote access VPN
server, then forget all of this and make a config based on
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Client Side:
conn orionrw
       left=%defaultroute
       leftcert=wyckoff.crabdance.com
       leftid=%fromcert
       leftrsasigkey=%cert
       leftsubnet=0.0.0.0/0
       leftmodecfgclient=yes
       right=orion.example.com
       rightsubnet=0.0.0.0/0

Note you don't want 0/0 on both sides of the link.

       rightid=@orion.example.com

This rightid does not match the above leftid. So that needs fixing.


If you want a remote access vpn to access a remote subnet, use the
remote access config with the addresspool. If you want a subnet to
subnet, where one of the endpoints is on a dynamic IP, you want
to use leftsubnet/rightsubnet and not addresspool= and just change
the regular site-to-site config to be right=%any on the server for
the clients, and left=%defaultroute for the client side on the client.

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan