Re: [Swan] subnet-to-subnet config

Sat, 09 Feb 2019 02:22:55 -0800



On 08/02/2019 21:20, Alex wrote:
Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on
fedora28 and having some trouble. Should the subnets already exist on
the remote networks, or does libreswan create them? When I use the
config below, the networks disappear from the routing table and the
servers become unreachable.

I've followed the directions on the subnet-to-subnet page:
https://libreswan.org/wiki/Subnet_to_subnet_VPN

conn orion-wyckoff-subnets
        also=orion-wyckoff
        rightsubnet=192.168.11.0/24
        leftsubnet=192.168.1.0/24
        auto=start

conn orion-wyckoff
        ikev2=insist
        authby=rsasig
        auto=start
        # dead peer detection to detect vanishing clients (?)
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        rightid=@wyckoff-orion
        right=wyckoff.crabdance.com
        # rsakey AwEAAd4Ee
        rightrsasigkey=0sAwEAAd4EeKjbFI7m...
        leftid=@orion-wyckoff
        left=orion.example.com
        # rsakey AwEAAeSMF
        leftrsasigkey=0sAwEAAeSMFxvoJaP...

The rightsubnet (192.168.11.0/24) exists on the right network
(wyckoff.crabdance.com). The leftsubnet (192.168.1.0/24) already
exists on the left network (orion.example.com).

wyckoff.crabdance.com
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ool-44c0f801.dy 0.0.0.0         UG    100    0        0 enp4s0
68.192.248.0    0.0.0.0         255.255.252.0   U     100    0        0 enp4s0
192.168.10.0    0.0.0.0         255.255.255.0   U     101    0        0 enp2s0
192.168.11.0    0.0.0.0         255.255.255.0   U     101    0        0 enp2s0

orion.example.com:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ool-44c3c129.st 0.0.0.0         UG    0      0        0 br0
68.195.193.40   0.0.0.0         255.255.255.248 U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Will this config also make the endpoints accessible to each other?
Add left/rightsourceip. Note you only need it for the local end but there is no harm adding it for both ends. For subnet/subnet connections the routing table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only get the routing entry if you use left/rightsourceip and is only relevant for traffic to or from the endpoint rather than through it.

Nick
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to