[Swan-dev] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"

Brady Johnson bradyjoh at redhat.com
Sun Mar 27 14:49:28 EEST 2022


Hello,

I sent this message a week ago, but have had no response. If this is not
the correct list to use, can someone at least advise where I should send
it, please?

Regards,

*Brady Johnson*
brady.johnson at redhat.com



On Mon, Mar 21, 2022 at 4:25 PM Brady Johnson <bradyjoh at redhat.com> wrote:

>
> Hello,
>
> I am trying to configure a VPN IPSec server and client using Libreswan
> according to [0].
>
> For the VPN server, I am using RHEL 8.5 with the following Libreswan
> version:
>
> $ ipsec --version
> Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64
>
>
> For the VPN client, I am using the following:
>
> Red Hat Enterprise Linux CoreOS release 4.8
> $ uname -r
> 4.18.0-305.10.2.el8_4.x86_64
> $ ipsec --version
> Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64
>
>
> Since CoreOS is immutable, I am using Libreswan via a
> privileged network=host container.
>
> My specific question is related to how the left/rightsubnet works. I
> understand the left/rightsubnet (and subnets) options are policies to
> determine which layer 3 traffic will be sent through the IPSec tunnel. In
> the [0] document, I see that it sets the subnet to 0, like this:
>
> leftsubnet=0.0.0.0/0
>
>
> What exactly does this mean? I may be mistaken, but I thought I read in
> one of the documents that it means "all traffic". But, based on my testing,
> it seems to mean "no traffic". So, if it does indeed mean all traffic, this
> is not working for me. Could this be a bug, or is there something else that
> needs to be configured to include all traffic in the tunnel?
>
> On a side-note, I tried a "Route-based VPN using VTI" configuration [1]
> which isnt working either, but I can send a separate email about that.
>
> Here are the client/server configurations Im using:
>
> conn vpn_server_tunnel
>     left=10.10.3.8
>     leftid=@vpn_server_fqdn
>     leftsubnet=0.0.0.0/0
>     leftrsasigkey=%cert
>     leftcert=vpn_server_fqdn
>     leftsendcert=always
>
>     # Clients
>     right=%any
>     rightrsasigkey=%cert
>     rightid=%fromcert
>     # Not using DHCP
>     rightca=%same
>
>     # recommended dpd/liveness to cleanup vanished clients
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=clear
>
>     auto=add
>     ikev2=insist
>     rekey=no
>     fragmentation=yes
>     ike=aes256-sha2
>     esp=aes256-sha2_512-dh14
>     authby=rsa-sha2_512
>     ikelifetime=86400s
>     salifetime=3600s
>
> conn vpn_client_tunnel
>     left=10.10.3.8
>     leftid=@vpn_server_fqdn
>     leftsubnet=0.0.0.0/0
>     leftrsasigkey=%cert
>     leftmodecfgclient=yes
>
>     right=10.10.3.5
>     rightrsasigkey=%cert
>     rightid=%fromcert
>     rightsubnet=0.0.0.0/0
>     rightcert=vpn_client_fqdn
>
>     narrowing=yes
>     ikev2=insist
>     rekey=yes
>     fragmentation=yes
>     mobike=yes
>     auto=start
>     ike=aes256-sha2
>     esp=aes256-sha2_512-dh14
>     authby=rsa-sha2_512
>     ikelifetime=86400s
>     salifetime=3600s
>
>
> [0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> [1]
> https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection
>
> Regards,
>
> *Brady Johnson*
> Principal Software Engineer
> brady.johnson at redhat.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20220327/c6acfeb8/attachment.htm>


More information about the Swan-dev mailing list