[Swan] road warrior to subnet-only configuration
Paul
paul at nohats.ca
Fri Nov 21 08:12:27 EET 2014
Did you try setting leftid=@your.dns.name
Sent from my iPhone
> On Nov 20, 2014, at 15:44, Ted Timmons <ted at perljam.net> wrote:
>
> Hi. I'm trying to set up swan. Networking has always been my weak
> skillset. I'm posting the config at the bottom, but know this is for
> AWS EC2 VPCs, I've disabled source/dest check, the sysctl items are
> correct. The idea is for the VPN to be used to connect to 172.xx IP
> addresses, and the VPN to not interfere otherwise.
>
> For testing, I'm using (very weak) PSK. It works to get the VPN up so
> I can get the routing sorted.
>
> I'd like the networking configuration to be on the swan side only. I
> know I need to use rightaddresspool to hand out a VPN IP to my road
> warriors, but that means I can't use rightsubnet- which is what seems
> correct to limit to the 172.xx range. (yes, it's slightly more
> specific than 172, using shorthand).
>
> Here's the config.
>
> $ cat /etc/ipsec.conf
> version 2.0
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
> protostack=netkey
>
> conn xauth-psk
> authby=secret
> pfs=no
> auto=add
> rekey=no
> forceencaps=yes
> left=172.31.xx.yy # this is my server's internal IP and is correct
> rightaddresspool=172.31.47.1-172.31.47.254
> right=%any
> rightid=%fromcert
> rightrsasigkey=%cert
> modecfgdns1=172.31.0.2
> leftxauthserver=yes
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> xauthby=alwaysok
> ike-frag=yes
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list