Hi All,
Took another stab at this last night and found the solution was actually
quite simple, almost embarrassingly so. Posting here in case other
people have a hard time seeing the obvious like I did...
First, firewall needs to be able to talk directly to a host on the
remote LAN. Accomplished with leftsourceip=firewall.lan.ip and OUTPUT
rule in filter table of iptables.
Next, route traffic from Roadwarrior subnet to Remote Subnet in nat
table of iptables;
-A POSTROUTING -s 10.25.0.0/24 -d 192.168.0.0/24 -j SNAT --to-source
192.168.25.1
After that, pound on the keyboard furiously for a while so everybody
thinks it was so much harder than it actually was...
On 2015-06-11 1:04 p.m., Nick Howitt wrote:
Hi Bob,
As soon as you mention transport mode I am lost as I've never used it or
got my mind round it so I don't understand it. Ditto passthrough conns,
so you could be way ahead of me. If I were doing it, I'd use tunnel mode.
I've done something slightly similar from an OpenVPN roadwarrior
connecting to my server then onto a remote IPsec LAN on a Draytek
router. The Draytek additional LAN solution I think, is proprietary and
I could not get it to interoperate with Libreswan. I got round the issue
by configuring OpenVPN to use the 172.12.3.0/24 subnet on the server
with a server LAN subnet of 172.17.2.0/24. I then set up a tunnel in
Libreswan to the Draytek for the 172.17.2.0/23 subnet (which, to save
you doing the subnet calculation, encompasses the 172.17.2.0/14 and
172.17.3.0/24 subnets). This got round the need to set up two tunnels
but it should also work with two tunnels (or two subnets tunnelled) if
you can get them to work between the Sonicwall and Libreswan. OpenVPN
was configured to push routes for both the server LAN subnet and remote
LAN subnet.
Regards,
Nick
On 11/06/2015 04:18, Bob Miller wrote:
Hi Nick,
thanks for your reply, and I apologize for my tardy response.
Do you have a tunnel from your roadwarrior to Libreswan for the subnet
192.168.0.0/24? I don't know the Windows client (or any ikev2 details
therefore my knowledge is entirely theoretical)so I don't know if you
can use left/rightsubnets in Libreswan or if you have to define two
different tunnels.
Similarly you will need a tunnel with subnets from 10.25.0.0/24 and
192.168.25.0/24. When negotiating these tunnels with the Sonicwall, do
you see both coming up? Again, if the Sonicwall can't cope you may also
need to define two separate tunnels from Libreswan.
hm. I think I see where you are going with this... the answer is that
I have attempted to make such a tunnel with a passthrough conn, but I
do not have a 3rd dedicated tunnel from roadwarrior to sonicwall. If
I did have a dedicated tunnel like that, would libreswan not then
connect to that tunnel and make the LAN and internet inaccessible?
What I have (non-network details trimmed):
conn lan2sonic
left=199.247.233.69
leftsubnet=192.168.25.0/24
leftnexthop=%defaultroute
right=184.69.103.190
rightsubnet=192.168.0.0/24
rightnexthop=%defaultroute
conn rw-ikev2
left=199.247.233.69
leftsubnet=0.0.0.0/0
right=%any
rightaddresspool=10.25.0.2-10.25.0.20
A note regarding leftsubnet=0.0.0.0/0: this being my first attempt at
ikev2, I found that the way I did it with l2tp (setting left subnet to
be that of LAN and setting up iptables for forwarding) was
insufficient. I forget what details I tripped on that clued me into
trying 0.0.0.0/0, but when I did, internet works for roadwarriors
without split tunnelling. If I just set leftsubnet=192.168.25.0/24, I
get connection to the LAN, but no internet.
That said, I had no better success on a l2tp setup, but I was
admittedly less aggressive in my attempts to get that one working.
I tried a lot of variations, but one example of my attempt with a
passthrough conn:
conn rw-pass-vic
left=%any
leftsubnet=10.25.0.0/24
right=184.69.103.190
rightsubnet=192.168.0.0/24
I tried in conn lan2sonic using
leftsubnets=192.168.25.0/24, 10.25.0.0/24
I also tried in conn rw-ikev2 using
leftsubnets=0.0.0.0/0, 192.168.0.0/24
Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0, and
the packets find their way to the 192.168.25.0/24 network, I kind of
think that packets for 192.168.0.0/24 should similarly find their way
on to the tunnel destined for the sonicwall, but tcpdump shows they
head out to the internet. Since my expectations were not met, I have
just been trying stuff, hoping to make the light bulb go on. maybe I
have had my conns right, but some other variable wrong. This is why I
am hoping to gain a better understanding of what is supposed to
happen, maybe then I can figure out how to get there...
From a different angle, what is your roadwarrior's local LAN subnet
when performing these tests? If is 192.168.0.0/24 then you have a big
issue as both the local and (very) remote subnets are the same.
My roadwarrior is across the internet in a subnet 192.168.26.0/24, so
should be no conflict there...
Thanks again for your response, Nick, really appreciate it...
Regards,
Nick
On 2015-06-07 01:23, Bob Miller wrote:
Hi,
I am not sure if I am being dense and not seeing what is there, or if
what I am looking for really isn't there.
I have a firewall running libreswan that has an ipsec/psk net2net
tunnel configured between it and a sonicwall device. This firewall
also has multiple road warriors connecting to the local network behind
it. Remote windows machines are configured with ikev2.
the gist:
192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
10.25.0.0/24(roadwarriors)<=^ ^=>Internet
each segment works fine;
remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
RW<=>LAN, RW<=>Internet works great.
remotelan<=>internet doesn't work, which is great.
Now I want the roadwarriors to access the remote lan, but I can't seem
to figure it out.
It happens I have another identical situation, with the singular
difference that the road warriors are connecting via l2tp. I have
tried to get the same thing working on that one in the hopes that
something about l2tp would magically work and grant me understanding.
I have been at it for a while now, it would be tough to list all I
have done, but generally I started at iptables, thinking it would be a
simple forwarding thing. I made sure I wasn't nat'ing my traffic,
forward rules are in place, etc. maybe there is a problem there, but
I don't see it if there is.
Next I played with left/rightsubnets (as opposed to singular subnet)
as per what I found in the ipsec.conf man page. I think I tried every
combination at least twice, but nothing changed there.
I looked through more of the docs. I found passthrough conns, which
seem like what I might want, but the only examples I can find are for
extruded subnets, where one side is a smaller subset of a larger
subnet on the other side. regardless, tried a bunch of ways to make
that work but no success. I also looked through the multi-net
examples, but those seem related to klips, and I think I need to find
and study the context of those examples to get value from them...
On google, I found a limited number of posts that discuss the topic.
In the posts that seemed relevant, I could follow the discussion, but
in no cases could I translate the examples to a working config on this
firewall.
I am not afraid to read and try and figure it out on my own, but I
don't think I am reading the right stuff. or if I am I haven't
recognized it yet. could someone kindly point me at the definitive
thing I need to read and understand to achieve my goal?
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
