On 24/01/2019 04:01, Paul Wouters wrote:
On Wed, 23 Jan 2019, Alex wrote:
I'm still not fully clear what you are doing. Are the laptops and
desktops and phones on a LAN with NAT and there is a remote VPN gateway
somewhere else on the internet? If you then your right= should for sure
point to that remote VPN server DNS name or IP address on your clients'
config.
It looks like this:
[Remote Office] [Main office]
192.168.11.0/24 ----- dynamicIP libreswan ------ VPN gateway libreswan
--- 192.168.1.0/24
There are laptops and desktops in a building with a dynamic IP from
Optonline. In the main office there is a static IP and other desktops
and laptops and phones. I'd like to connect the two branch offices
together, and figured since one side had a dynamic IP connecting to
the Internet, it would be considered a road warrior setup. I now know
that's not correct.
Ohh. yeah that we call site-to-site. Wile it is also technically a
roadwarrior because you are on a dynamic IP with one end, we tend to
not call it that.
The important thing is, for a site-to-site you have a leftsubnet and
rightsubnet, and never have an addresspool because you already have the
IP addresses of both ends of the tunnels.
Okay. I read that net-to-net connections were using RSA keys:
https://libreswan.org/wiki/Subnet_to_subnet_VPN
https://libreswan.org/wiki/Host_to_host_VPN
That's when I switched.
At some point I thought it was working. Is there a known problem with
using RSA keys? Any idea why it can't find its own private key?
I will try now with certs.
You can use whatever authentication you like. If these are two libreswan
endpoints, you can just use raw RSA since it is easier to setup than
certificates. but if one endpoint is not libreswan, it might be easier
to setup using certificates.
I know it is blasphemy, but just to get the concept going, is it worth
trying with a PSK. Then, once you're happy, switch to RSA or x509?
Regardless the side on dynamic IP should have auto=start and rekey=yes
and the side on static IP should have auto=add and rekey=no. The
one wih static IP will have (assuming you used left for local, and right
for remote) left=staticip and right=%any/ On the end with dynamic IP
you will have (again assuming you used left for local, and right for
remote) left=%defaultroute and right=staticp
Also should you increase the keylives of the static end so it does not
expire the conn before the dynamic end rekeys?
That way, the dynamic endpoint will always initiate since the endpoint
with static ip will not know where to initiate to since the other end
is on dynamic ip.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
