Hi Paul, > > How does it then determine the default gateway and other stuff that would > > normally be obtained by DHCP, such as an NTP server? > > Client and server agree on the src/dst parameters. eg the leftsubnet and > rightsubnet options. If the vpn client receives a remote subnet of > 0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller > subnet, only traffic with that destination will go over the tunnel. For > all traffic over the tunnel, the IP the libreswan server assigned to it > is used (eg it appears to the client as leftsubnet=192.168.6.x/32)
Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the 192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal network. I don't recall seeing that in the documentation. Where can I find how this works? Of course your help here is also appreciated :-) > > Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when > > trying to ping the gateway. > > Do you have IP forwarding enabled (in general via sysctl or via specific > FORWARD rules) ? Yes, shorewall appears to be taking care of that: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 630M 1126G br0_fwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 455M 900G int_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none There also aren't any reject/deny messages in the logs when trying to reach the 192.168.1.0/24 network. > > My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN > > from the 192.168.6.0/24 IP it's assigned so it can communicate with our > > asterisk server. > > Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or > leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX) It doesn't work when trying leftsubnet=192.168.1.0/24 or leftsubnet=0.0.0.0/0. It just returns "request timed out." So when I set leftsubnet=192.168.6.0/24 I can ping the gateway, but when I set leftsubnet=192.168.1.0/24 or leftsubnet=0.0.0.0/0 I can't reach the gateway or the 192.168.1.0/24 network. conn ikev2-cp left=68.195.111.42 leftcert=orion.example.com leftid=@68.195.111.42 leftsendcert=always leftsubnet=192.168.1.0/24 leftrsasigkey=%cert right=%any rightaddresspool=192.168.6.2-192.168.6.254 rightca=%same rightrsasigkey=%cert modecfgdns=8.8.8.8,193.100.157.123 narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no fragmentation=yes esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan