[Swan-dev] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"

Brady Johnson bradyjoh at redhat.com
Mon Mar 21 21:31:21 EET 2022


Hello,

I am trying to configure a VPN IPSec server and client using Libreswan
according to [0].

For the VPN server, I am using RHEL 8.5 with the following Libreswan
version:

$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64


For the VPN client, I am using the following:

Red Hat Enterprise Linux CoreOS release 4.8
$ uname -r
4.18.0-305.10.2.el8_4.x86_64
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64


Since CoreOS is immutable, I am using Libreswan via a
privileged network=host container.

My specific question is related to how the left/rightsubnet works. I
understand the left/rightsubnet (and subnets) options are policies to
determine which layer 3 traffic will be sent through the IPSec tunnel. In
the [0] document, I see that it sets the subnet to 0, like this:

leftsubnet=0.0.0.0/0


What exactly does this mean? I may be mistaken, but I thought I read in one
of the documents that it means "all traffic". But, based on my testing, it
seems to mean "no traffic". So, if it does indeed mean all traffic, this is
not working for me. Could this be a bug, or is there something else that
needs to be configured to include all traffic in the tunnel?

On a side-note, I tried a "Route-based VPN using VTI" configuration [1]
which isnt working either, but I can send a separate email about that.

Here are the client/server configurations Im using:

conn vpn_server_tunnel
    left=10.10.3.8
    leftid=@vpn_server_fqdn
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    leftcert=vpn_server_fqdn
    leftsendcert=always

    # Clients
    right=%any
    rightrsasigkey=%cert
    rightid=%fromcert
    # Not using DHCP
    rightca=%same

    # recommended dpd/liveness to cleanup vanished clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s

conn vpn_client_tunnel
    left=10.10.3.8
    leftid=@vpn_server_fqdn
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    leftmodecfgclient=yes

    right=10.10.3.5
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=0.0.0.0/0
    rightcert=vpn_client_fqdn

    narrowing=yes
    ikev2=insist
    rekey=yes
    fragmentation=yes
    mobike=yes
    auto=start
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s


[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
[1]
https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection

Regards,

Brady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20220321/fbca844b/attachment.htm>


More information about the Swan-dev mailing list