[Swan] road warrior to subnet-only configuration

Paul paul at nohats.ca
Fri Nov 21 08:12:27 EET 2014


Did you try setting leftid=@your.dns.name



Sent from my iPhone

> On Nov 20, 2014, at 15:44, Ted Timmons <ted at perljam.net> wrote:
> 
> Hi. I'm trying to set up swan. Networking has always been my weak
> skillset. I'm posting the config at the bottom, but know this is for
> AWS EC2 VPCs, I've disabled source/dest check, the sysctl items are
> correct. The idea is for the VPN to be used to connect to 172.xx IP
> addresses, and the VPN to not interfere otherwise.
> 
> For testing, I'm using (very weak) PSK. It works to get the VPN up so
> I can get the routing sorted.
> 
> I'd like the networking configuration to be on the swan side only. I
> know I need to use rightaddresspool to hand out a VPN IP to my road
> warriors, but that means I can't use rightsubnet- which is what seems
> correct to limit to the 172.xx range. (yes, it's slightly more
> specific than 172, using shorthand).
> 
> Here's the config.
> 
> $ cat /etc/ipsec.conf
> version 2.0
> 
> config setup
>  nat_traversal=yes
>  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
>  protostack=netkey
> 
> conn xauth-psk
>    authby=secret
>    pfs=no
>    auto=add
>    rekey=no
>    forceencaps=yes
>    left=172.31.xx.yy # this is my server's internal IP and is correct
>    rightaddresspool=172.31.47.1-172.31.47.254
>    right=%any
>    rightid=%fromcert
>    rightrsasigkey=%cert
>    modecfgdns1=172.31.0.2
>    leftxauthserver=yes
>    rightxauthclient=yes
>    leftmodecfgserver=yes
>    rightmodecfgclient=yes
>    modecfgpull=yes
>    xauthby=alwaysok
>    ike-frag=yes
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list