[Swan-dev] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Brady Johnson
bradyjoh at redhat.com
Mon Mar 21 21:31:21 EET 2022
Hello,
I am trying to configure a VPN IPSec server and client using Libreswan
according to [0].
For the VPN server, I am using RHEL 8.5 with the following Libreswan
version:
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64
For the VPN client, I am using the following:
Red Hat Enterprise Linux CoreOS release 4.8
$ uname -r
4.18.0-305.10.2.el8_4.x86_64
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64
Since CoreOS is immutable, I am using Libreswan via a
privileged network=host container.
My specific question is related to how the left/rightsubnet works. I
understand the left/rightsubnet (and subnets) options are policies to
determine which layer 3 traffic will be sent through the IPSec tunnel. In
the [0] document, I see that it sets the subnet to 0, like this:
leftsubnet=0.0.0.0/0
What exactly does this mean? I may be mistaken, but I thought I read in one
of the documents that it means "all traffic". But, based on my testing, it
seems to mean "no traffic". So, if it does indeed mean all traffic, this is
not working for me. Could this be a bug, or is there something else that
needs to be configured to include all traffic in the tunnel?
On a side-note, I tried a "Route-based VPN using VTI" configuration [1]
which isnt working either, but I can send a separate email about that.
Here are the client/server configurations Im using:
conn vpn_server_tunnel
left=10.10.3.8
leftid=@vpn_server_fqdn
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
leftcert=vpn_server_fqdn
leftsendcert=always
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
# Not using DHCP
rightca=%same
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
conn vpn_client_tunnel
left=10.10.3.8
leftid=@vpn_server_fqdn
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
leftmodecfgclient=yes
right=10.10.3.5
rightrsasigkey=%cert
rightid=%fromcert
rightsubnet=0.0.0.0/0
rightcert=vpn_client_fqdn
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=yes
auto=start
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
[1]
https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection
Regards,
Brady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20220321/fbca844b/attachment.htm>
More information about the Swan-dev
mailing list