> >>> There already is a
> >>>
> >>> leftsubnet=0.0.0.0/0
> >>> rightsubnet=srv.ii.nn.tt/32
> >>>
> >>> in the roadwarrior's config. The config file of the server contains
> >>>
> >>> leftsubnet=srv.ii.nn.tt/32
> >>> rightaddresspool==192.0.2.0/24
> >>> narrowing=yes
> >>
> >> Oh ok, if assigning an IP to a roadwarrior, that is fine. But you will
> >> need to ensure you are NATing traffic on the server from 192.0.2.0/24
> >> to !192.0.2.0/24
> >
> > That is actually no strict requirement from myself. I removed the
> > rightaddresspool= for now, and the tunnel is still being established fine as
> > it was before. But that is not the main issue now.
> >
> >>> As not to get lost: we're still basically trying to get libreswan to
> >>> install a xfrm policy with the right source IP (i. e. rw.ii.nn.tt) for the
> >>> out direction, so that the policy triggers on the outgoing packets and
> >>> sends them through the established tunnel, right?
> >>
> >> You should have a tunnel policy from 192.0.2.x/32 to srv.ii.nn.tt/32
> >
> > This is exactly where I am stuck now. With my current config,
> > libreswan installs a tunnel policy from rw.pp.uu.bb/32 to srv.ii.nn.tt/32,
> > which obviously cannot trigger. And I have no idea why this happens, nor
> > what can I do about that.
>
> You need either rightaddresspool or a rightsubnet so both ends agree on a
> configuration for use as the road warriors internal IP address. As it is
> dynamic, you cannot use any pre-NAT ip address of the random local network
> it is on (which would also be a security risk, image a wifi network giving
> you 8.8.8.8 and your server then sends all DNS to your road warrior)
This was the case up until the last change (see above) - which I can
roll back right away - but that did not work for me. I ended up with the
public IP as source address in the xfrm policy installed by libreswan
anyway. What I can further try is to use rightsubnet instead of
rightaddresspool.
I assume that rightsubnet differs from rightaddresspool basically in the
fact that the IP is not assigned by the server/responder in the former case,
but set in the ipsec.conf. How do I set it on the initiator? Do I need to
explicitly set up a virtual interface on the roadwarrior/initiator with some
RFC1918 address, or does that libreswan take care of this itself?
And do I need to put a static leftsubnet= on the roadwarrior, identical to
the rightsubnet= on the server?
Best regards,
Phil
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
