<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><br></div><div>Hello,</div><div><br></div><div>I am trying to configure a VPN IPSec server and client using Libreswan according to [0].</div><div><br></div><div>For the VPN server, I am using RHEL 8.5 with the following Libreswan version:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="monospace">$ ipsec --version</font></div><div><font face="monospace">Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64</font></div></blockquote><div><br></div><div>For the VPN client, I am using the following:</div><div><br></div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="monospace">Red Hat Enterprise Linux CoreOS release 4.8<br>$ uname -r<br>4.18.0-305.10.2.el8_4.x86_64<br></font></div><div><font face="monospace">$ ipsec --version<br>Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64<br></font></div></blockquote></div><div><br></div><div>Since CoreOS is immutable, I am using Libreswan via a privileged network=host container.</div><div><br></div><div>My specific question is related to how the left/rightsubnet works. I understand the left/rightsubnet (and subnets) options are policies to determine which layer 3 traffic will be sent through the IPSec tunnel. In the [0] document, I see that it sets the subnet to 0, like this:</div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="monospace">leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br></font></div></blockquote></div><div><br></div><div>What exactly does this mean? I may be mistaken, but I thought I read in one of the documents that it means "all traffic". But, based on my testing, it seems to mean "no traffic". So, if it does indeed mean all traffic, this is not working for me. Could this be a bug, or is there something else that needs to be configured to include all traffic in the tunnel?</div><div><br></div><div>On a side-note, I tried a "Route-based VPN using VTI" configuration [1] which isnt working either, but I can send a separate email about that.</div><div><br></div><div>Here are the client/server configurations Im using:<br><br><font face="monospace">conn vpn_server_tunnel<br> left=10.10.3.8<br> leftid=@vpn_server_fqdn<br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> leftrsasigkey=%cert<br> leftcert=</font><span style="font-family:monospace">vpn_server_fqdn</span><font face="monospace"><br> leftsendcert=always<br><br> # Clients<br> right=%any<br> rightrsasigkey=%cert<br> rightid=%fromcert<br> # Not using DHCP<br> rightca=%same<br><br> # recommended dpd/liveness to cleanup vanished clients<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=clear<br><br> auto=add<br> ikev2=insist<br> rekey=no<br> fragmentation=yes<br> ike=aes256-sha2<br> esp=aes256-sha2_512-dh14<br> authby=rsa-sha2_512<br> ikelifetime=86400s<br> salifetime=3600s<br></font></div><div><br></div><div><font face="monospace">conn vpn_client_tunnel<br> left=</font><span style="font-family:monospace">10.10.3.8</span><font face="monospace"><br> leftid=@</font><span style="font-family:monospace">vpn_server_fqdn</span><font face="monospace"><br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> leftrsasigkey=%cert<br> leftmodecfgclient=yes<br><br> right=</font><span style="font-family:monospace">10.10.3.5</span><font face="monospace"><br> rightrsasigkey=%cert<br> rightid=%fromcert<br> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> rightcert=vpn_client_fqdn<br><br> narrowing=yes<br> ikev2=insist<br> rekey=yes<br> fragmentation=yes<br> mobike=yes<br> auto=start<br> ike=aes256-sha2<br> esp=aes256-sha2_512-dh14<br> authby=rsa-sha2_512<br> ikelifetime=86400s<br> salifetime=3600s<br></font></div><div><br></div><div><br></div><div>[0] <a href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2" target="_blank">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2</a></div><div>[1] <a href="https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection" target="_blank">https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection</a></div><div><br></div><div>Regards,</div><br clear="all"><div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr">Brady<div><div><br></div><div></div></div></div></div></div></div>
</div></div>