On Sun, 3 Jan 2021, Alex Regan wrote:
Correct. libreswan does not consult a DHCP server. It assumes it has
full authority to assign anything from its given addresspool.
How does it then determine the default gateway and other stuff that would
normally be obtained by DHCP, such as an NTP server?
Client and server agree on the src/dst parameters. eg the leftsubnet and
rightsubnet options. If the vpn client receives a remote subnet of
0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller
subnet, only traffic with that destination will go over the tunnel. For
all traffic over the tunnel, the IP the libreswan server assigned to it
is used (eg it appears to the client as leftsubnet=192.168.6.x/32)
I'm also using shorewall on this network, but it operates based on "ipsec",
not a specific network.
Maybe Tuomo can shed light on that.
Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when
trying to ping the gateway.
Do you have IP forwarding enabled (in general via sysctl or via specific
FORWARD rules) ?
Here is the routing table from the Windows PC after the VPN is connected,
using a tether connection on my cell. I've stripped off the Metric field to
make it more legible.
Active Routes:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.203
68.195.193.42 255.255.255.255 192.168.43.1 192.168.43.203
127.0.0.0 255.0.0.0 On-link 127.0.0.1
127.0.0.1 255.255.255.255 On-link 127.0.0.1
127.255.255.255 255.255.255.255 On-link 127.0.0.1
192.168.6.0 255.255.255.0 On-link 192.168.6.2
192.168.6.2 255.255.255.255 On-link 192.168.6.2
192.168.6.255 255.255.255.255 On-link 192.168.6.2
I'm assuming these would go over the tunnel.
When I built a subnet-to-subnet VPN some time ago, it was necessary to create
another connection to allow remote hosts to access individual hosts on the
local network. Is that not necessary here?
No. that is a different thing.
My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN
from the 192.168.6.0/24 IP it's assigned so it can communicate with our
asterisk server.
Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or
leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX)
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan