Hi, > Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on > fedora28 and having some trouble. Should the subnets already exist on > the remote networks, or does libreswan create them? When I use the > config below, the networks disappear from the routing table and the > servers become unreachable. > > I've followed the directions on the subnet-to-subnet page: > https://libreswan.org/wiki/Subnet_to_subnet_VPN > > conn orion-wyckoff-subnets > also=orion-wyckoff > rightsubnet=192.168.11.0/24 > leftsubnet=192.168.1.0/24 > auto=start > > conn orion-wyckoff > ikev2=insist > authby=rsasig > auto=start > # dead peer detection to detect vanishing clients (?) > dpddelay=10 > dpdtimeout=90 > dpdaction=clear > rightid=@wyckoff-orion > right=wyckoff.crabdance.com > # rsakey AwEAAd4Ee > rightrsasigkey=0sAwEAAd4EeKjbFI7m... > leftid=@orion-wyckoff > left=orion.example.com > # rsakey AwEAAeSMF > leftrsasigkey=0sAwEAAeSMFxvoJaP... > > The rightsubnet (192.168.11.0/24) exists on the right network > (wyckoff.crabdance.com). The leftsubnet (192.168.1.0/24) already > exists on the left network (orion.example.com). > > wyckoff.crabdance.com > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default ool-44c0f801.dy 0.0.0.0 UG 100 0 0 enp4s0 > 68.192.248.0 0.0.0.0 255.255.252.0 U 100 0 0 enp4s0 > 192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 enp2s0 > 192.168.11.0 0.0.0.0 255.255.255.0 U 101 0 0 enp2s0 > > orion.example.com: > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default ool-44c3c129.st 0.0.0.0 UG 0 0 0 br0 > 68.195.193.40 0.0.0.0 255.255.255.248 U 0 0 0 br0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 > > Will this config also make the endpoints accessible to each other? > > Add left/rightsourceip. Note you only need it for the local end but there is > no harm adding it for both ends. For subnet/subnet connections the routing > table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only > get the routing entry if you use left/rightsourceip and is only relevant for > traffic to or from the endpoint rather than through it.
So if I do add the left/rightsourceip parameters, the routes should not already exist on the endpoints, correct? I see that it adds the routes, but it also creates a bunch of martian source messages because the network already exists on the host. It also consequently makes the whole system unusable because it screws up the routes. One thing I didn't mention previously is that the right side (remote) is a dynamic IP on a cable modem with a hostname through afraid.org. I had originally thought this was a type of roadwarrior setup, but apparently not. I'm now not sure of the role that plays, if any. I also tried to reach the remote side by specifying the interface when running ping from the local side: # ping 192.168.11.1 -I 68.195.193.42 This thread seems to indicate the left/rightsourceip are switched so it refers to the network on the opposite side? So if 192.168.11.0/24 is on the right (remote) side and 192.168.1.0/24 is on the local (left) side, rightsourceip should be 192.168.1.0/24 and leftsourceip should be 192.168.11.0/24? https://www.centos.org/forums/viewtopic.php?f=16&t=60809&start=20 _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
