On May 10, 2024, at 03:08, Phil Nightowl <[email protected]> wrote: > > >> >>> There already is a >>> >>> leftsubnet=0.0.0.0/0 >>> rightsubnet=srv.ii.nn.tt/32 >>> >>> in the roadwarrior's config. The config file of the server contains >>> >>> leftsubnet=srv.ii.nn.tt/32 >>> rightaddresspool==192.0.2.0/24 >>> narrowing=yes >> >> Oh ok, if assigning an IP to a roadwarrior, that is fine. But you will >> need to ensure you are NATing traffic on the server from 192.0.2.0/24 >> to !192.0.2.0/24 > > That is actually no strict requirement from myself. I removed the > rightaddresspool= for now, and the tunnel is still being established fine as > it was before. But that is not the main issue now. > >>> As not to get lost: we're still basically trying to get libreswan to >>> install a xfrm policy with the right source IP (i. e. rw.ii.nn.tt) for the >>> out direction, so that the policy triggers on the outgoing packets and >>> sends them through the established tunnel, right? >> >> You should have a tunnel policy from 192.0.2.x/32 to srv.ii.nn.tt/32 > > This is exactly where I am stuck now. With my current config, > libreswan installs a tunnel policy from rw.pp.uu.bb/32 to srv.ii.nn.tt/32, > which obviously cannot trigger. And I have no idea why this happens, nor > what can I do about that.
You need either rightaddresspool or a rightsubnet so both ends agree on a configuration for use as the road warriors internal IP address. As it is dynamic, you cannot use any pre-NAT ip address of the random local network it is on (which would also be a security risk, image a wifi network giving you 8.8.8.8 and your server then sends all DNS to your road warrior) Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
