[Swan] routing across two tunnels

Bob Miller bob at computerisms.ca
Sun Jun 7 03:23:26 EEST 2015


Hi,

I am not sure if I am being dense and not seeing what is there, or if 
what I am looking for really isn't there.

I have a firewall running libreswan that has an ipsec/psk net2net tunnel 
configured between it and a sonicwall device.  This firewall also has 
multiple road warriors connecting to the local network behind it. 
Remote windows machines are configured with ikev2.

the gist:
192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
10.25.0.0/24(roadwarriors)<=^ ^=>Internet

each segment works fine;
remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
RW<=>LAN, RW<=>Internet works great.
remotelan<=>internet doesn't work, which is great.

Now I want the roadwarriors to access the remote lan, but I can't seem 
to figure it out.

It happens I have another identical situation, with the singular 
difference that the road warriors are connecting via l2tp.  I have tried 
to get the same thing working on that one in the hopes that something 
about l2tp would magically work and grant me understanding.

I have been at it for a while now, it would be tough to list all I have 
done, but generally I started at iptables, thinking it would be a simple 
forwarding thing.  I made sure I wasn't nat'ing my traffic, forward 
rules are in place, etc.  maybe there is a problem there, but I don't 
see it if there is.

Next I played with left/rightsubnets (as opposed to singular subnet) as 
per what I found in the ipsec.conf man page.  I think I tried every 
combination at least twice, but nothing changed there.

I looked through more of the docs.  I found passthrough conns, which 
seem like what I might want, but the only examples I can find are for 
extruded subnets, where one side is a smaller subset of a larger subnet 
on the other side.  regardless, tried a bunch of ways to make that work 
but no success.  I also looked through the multi-net examples, but those 
seem related to klips, and I think I need to find and study the context 
of those examples to get value from them...

On google, I found a limited number of posts that discuss the topic.  In 
the posts that seemed relevant, I could follow the discussion, but in no 
cases could I translate the examples to a working config on this firewall.

I am not afraid to read and try and figure it out on my own, but I don't 
think I am reading the right stuff.  or if I am I haven't recognized it 
yet.  could someone kindly point me at the definitive thing I need to 
read and understand to achieve my goal?

-- 
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca


More information about the Swan mailing list