[Swan-dev] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Brady Johnson
bradyjoh at redhat.com
Sun Mar 27 14:49:28 EEST 2022
Hello,
I sent this message a week ago, but have had no response. If this is not
the correct list to use, can someone at least advise where I should send
it, please?
Regards,
*Brady Johnson*
brady.johnson at redhat.com
On Mon, Mar 21, 2022 at 4:25 PM Brady Johnson <bradyjoh at redhat.com> wrote:
>
> Hello,
>
> I am trying to configure a VPN IPSec server and client using Libreswan
> according to [0].
>
> For the VPN server, I am using RHEL 8.5 with the following Libreswan
> version:
>
> $ ipsec --version
> Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64
>
>
> For the VPN client, I am using the following:
>
> Red Hat Enterprise Linux CoreOS release 4.8
> $ uname -r
> 4.18.0-305.10.2.el8_4.x86_64
> $ ipsec --version
> Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64
>
>
> Since CoreOS is immutable, I am using Libreswan via a
> privileged network=host container.
>
> My specific question is related to how the left/rightsubnet works. I
> understand the left/rightsubnet (and subnets) options are policies to
> determine which layer 3 traffic will be sent through the IPSec tunnel. In
> the [0] document, I see that it sets the subnet to 0, like this:
>
> leftsubnet=0.0.0.0/0
>
>
> What exactly does this mean? I may be mistaken, but I thought I read in
> one of the documents that it means "all traffic". But, based on my testing,
> it seems to mean "no traffic". So, if it does indeed mean all traffic, this
> is not working for me. Could this be a bug, or is there something else that
> needs to be configured to include all traffic in the tunnel?
>
> On a side-note, I tried a "Route-based VPN using VTI" configuration [1]
> which isnt working either, but I can send a separate email about that.
>
> Here are the client/server configurations Im using:
>
> conn vpn_server_tunnel
> left=10.10.3.8
> leftid=@vpn_server_fqdn
> leftsubnet=0.0.0.0/0
> leftrsasigkey=%cert
> leftcert=vpn_server_fqdn
> leftsendcert=always
>
> # Clients
> right=%any
> rightrsasigkey=%cert
> rightid=%fromcert
> # Not using DHCP
> rightca=%same
>
> # recommended dpd/liveness to cleanup vanished clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
> auto=add
> ikev2=insist
> rekey=no
> fragmentation=yes
> ike=aes256-sha2
> esp=aes256-sha2_512-dh14
> authby=rsa-sha2_512
> ikelifetime=86400s
> salifetime=3600s
>
> conn vpn_client_tunnel
> left=10.10.3.8
> leftid=@vpn_server_fqdn
> leftsubnet=0.0.0.0/0
> leftrsasigkey=%cert
> leftmodecfgclient=yes
>
> right=10.10.3.5
> rightrsasigkey=%cert
> rightid=%fromcert
> rightsubnet=0.0.0.0/0
> rightcert=vpn_client_fqdn
>
> narrowing=yes
> ikev2=insist
> rekey=yes
> fragmentation=yes
> mobike=yes
> auto=start
> ike=aes256-sha2
> esp=aes256-sha2_512-dh14
> authby=rsa-sha2_512
> ikelifetime=86400s
> salifetime=3600s
>
>
> [0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> [1]
> https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection
>
> Regards,
>
> *Brady Johnson*
> Principal Software Engineer
> brady.johnson at redhat.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20220327/c6acfeb8/attachment.htm>
More information about the Swan-dev
mailing list