[Swan] modecfg with multiple subnets

Wolfgang Nothdurft wolfgang at linogate.de
Tue Jun 17 14:49:45 EEST 2014 

Am 16.06.2014 18:35, schrieb Paul Wouters:
> On Mon, 16 Jun 2014, Wolfgang Nothdurft wrote:
>
>> I was trying to configure mode config with multiple subnets.
>>
>> The problem is that the connection with the second subnet can't
>> connect (see log and example config):
>>
>> Jun 16 15:45:05 d1 pluto[27759]: "client/2x0"[1] 10.0.12.2 #1: cannot
>> respond to IPsec SA request because no connection is known for
>> 192.168.11.0/24===10.0.11.2[MS+S=C]...10.0.12.2[+MC+S=C]===192.168.12.1/32
>>
>>
>> Should it be possible to use mode config with multiple subnets?
>
> Yes it should be, but the server side code is still incomplete. You
> need to send a CISCO_SPLIT_INC XAUTH attribute and then send multiple
> "route objects".  This code should be triggered when the client end is
> not rightsubnet=0.0.0.0/0 but rightsubnets={ list of subnets }
>
> On the client side, this already works (interops with Cisco). I can
> provide you a log if it helps to see what you need to send.
>

Ok, looking at the code there seems two things missing in the server 
side code.

* a proper handling for the long attributes in modecfg_resp (maybe 
modecfg_resp needs to be called twice - first for the normal attributes 
and second for the long attributes)

* assembling the response with the configured subnets

Am I right?

At the moment we can live with only having one subnet, because most 
setups will use 0.0.0.0/0 as local subnet.

Maybe I find some time after finishing the libreswan migration, so yes 
you can send me the log.


>> And there seems to be an old bug also that rightsubnet needs to be set
>> with leftsubnets and vice versa.
>> This would be problematic if you'd use rightaddresspool instead of
>> rightsubnet on the server side.
>
> Yes, that's a problem in the parser code in lib/libipsecconf/ being too
> strict.
>
> If you don't get to this, we can hopefully finish this for libreswan 3.10.

We generate multiple conn sections for multiple subnets at the moment 
and I don't know if we benefit from switching to one conn with subnets.
So maybe I leave it as it is. ;)

Wolfgang

More information about the Swan mailing list