On Wed, 7 Feb 2024, Phil Nightowl via Swan wrote:
I am failing to configure multiple simultaneous connections with
part of the clients behind NAT and part not (though not sure to what extent
is *that* the main issue). Before elaborating thoroughly, can anyone please
tell if the following setup is possible with libreswan at all?
* single server, multiple clients
* all connections host-to-host
* some clients behind NAT, some not
* ipsec must allow ssh connections passing without touching them for some
connections
Yes this should be possible.
Currently, server.privlan has libreswan 4.10, other hosts mostly 4.3.
I would try 4.12.
Things do break as soon as I try to add more conns. I am not sure that I
understand the log correctly, but pluto seems to switch between connections
when I don't expect it to, or refuses a proposal due to wrong TS, and so on.
Is it using one conn with addresspool= ? Or are there additional complexities ?
Is it switching between connection instances or different connections?
Is the desired setup possible with libreswan at all? If so, does anyone see
what I am doing wrong? Feel free to ask for additional config files,
debugging output, etc., as needed.
For the current working part config, please see below.
Many thanks in advance. Best regards,
Phil
===================================
Config on server.privlan:
conn privlan-ssh
type=passthrough
left=%defaultroute
right=%group
auto=ondemand
authby=never
This would need a leftprotoport=tcp/22 and rightprotoport=tcp/0
And probably use right=%any
conn privlan
left=%defaultroute
right=%group
Use right=%any - group has a special meaning for opportunistic clients.
auto=ondemand
You cannot do ondemand if you don't know where the clients are going to
show up at?
authby=rsasig
ikev2=insist
leftid=%fromcert
rightid=%fromcert
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server
leftsendcert=always
rightsendcert=always
rightca=%same
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
You should instead look at this:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
with policies/privlan having:
192.168.1.0/25
and policies/privlan-ssh:
192.168.1.0/24 tcp 0 22
192.168.1.0/24 tcp 22 0
I would not use opportunistic encryption rules here at all.
See above.
I'm assuming you have roadwarriors (eg clients on dynamic IP that get an
internal IP assigned?)
If you do want to do opportunistic encryption, that really does assume
that there is no NAT to traverse and all nodes see each others real IP
address.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
