[Swan] routing across two tunnels

Bob Miller bob at computerisms.ca
Thu Jun 11 06:18:25 EEST 2015

Hi Nick,

thanks for your reply, and I apologize for my tardy response.

> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
> I don't know the Windows client (or any ikev2 details
> therefore my knowledge is entirely theoretical)so I don't know if you
> can use left/rightsubnets in Libreswan or if you have to define two
> different tunnels.
> Similarly you will need a tunnel with subnets from and
> When negotiating these tunnels with the Sonicwall, do
> you see both coming up? Again, if the Sonicwall can't cope you may also
> need to define two separate tunnels from Libreswan.

hm.  I think I see where you are going with this... the answer is that I 
have attempted to make such a tunnel with a passthrough conn, but I do 
not have a 3rd dedicated tunnel from roadwarrior to sonicwall.  If I did 
have a dedicated tunnel like that, would libreswan not then connect to 
that tunnel and make the LAN and internet inaccessible?  What I have 
(non-network details trimmed):

conn lan2sonic

conn rw-ikev2

A note regarding leftsubnet= this being my first attempt at 
ikev2, I found that the way I did it with l2tp (setting left subnet to 
be that of LAN and setting up iptables for forwarding) was insufficient. 
  I forget what details I tripped on that clued me into trying, but when I did, internet works for roadwarriors without split 
tunnelling.  If I just set leftsubnet=, I get connection 
to the LAN, but no internet.

That said, I had no better success on a l2tp setup, but I was admittedly 
less aggressive in my attempts to get that one working.

I tried a lot of variations, but one example of my attempt with a 
passthrough conn:

conn rw-pass-vic

I tried in conn lan2sonic using


I also tried in conn rw-ikev2 using


Given that the leftsubnet on the ikev2 connection is, and the 
packets find their way to the network, I kind of think 
that packets for should similarly find their way on to 
the tunnel destined for the sonicwall, but tcpdump shows they head out 
to the internet.  Since my expectations were not met, I have just been 
trying stuff, hoping to make the light bulb go on. maybe I have had my 
conns right, but some other variable wrong.  This is why I am hoping to 
gain a better understanding of what is supposed to happen, maybe then I 
can figure out how to get there...

>  From a different angle, what is your roadwarrior's local LAN subnet
> when performing these tests? If is then you have a big
> issue as both the local and (very) remote subnets are the same.

My roadwarrior is across the internet in a subnet, so 
should be no conflict there...

Thanks again for your response, Nick, really appreciate it...

> Regards,
> Nick
> On 2015-06-07 01:23, Bob Miller wrote:
>> Hi,
>> I am not sure if I am being dense and not seeing what is there, or if
>> what I am looking for really isn't there.
>> I have a firewall running libreswan that has an ipsec/psk net2net
>> tunnel configured between it and a sonicwall device.  This firewall
>> also has multiple road warriors connecting to the local network behind
>> it. Remote windows machines are configured with ikev2.
>> the gist:
>><=^ ^=>Internet
>> each segment works fine;
>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>> RW<=>LAN, RW<=>Internet works great.
>> remotelan<=>internet doesn't work, which is great.
>> Now I want the roadwarriors to access the remote lan, but I can't seem
>> to figure it out.
>> It happens I have another identical situation, with the singular
>> difference that the road warriors are connecting via l2tp.  I have
>> tried to get the same thing working on that one in the hopes that
>> something about l2tp would magically work and grant me understanding.
>> I have been at it for a while now, it would be tough to list all I
>> have done, but generally I started at iptables, thinking it would be a
>> simple forwarding thing.  I made sure I wasn't nat'ing my traffic,
>> forward rules are in place, etc.  maybe there is a problem there, but
>> I don't see it if there is.
>> Next I played with left/rightsubnets (as opposed to singular subnet)
>> as per what I found in the ipsec.conf man page.  I think I tried every
>> combination at least twice, but nothing changed there.
>> I looked through more of the docs.  I found passthrough conns, which
>> seem like what I might want, but the only examples I can find are for
>> extruded subnets, where one side is a smaller subset of a larger
>> subnet on the other side.  regardless, tried a bunch of ways to make
>> that work but no success.  I also looked through the multi-net
>> examples, but those seem related to klips, and I think I need to find
>> and study the context of those examples to get value from them...
>> On google, I found a limited number of posts that discuss the topic.
>> In the posts that seemed relevant, I could follow the discussion, but
>> in no cases could I translate the examples to a working config on this
>> firewall.
>> I am not afraid to read and try and figure it out on my own, but I
>> don't think I am reading the right stuff.  or if I am I haven't
>> recognized it yet.  could someone kindly point me at the definitive
>> thing I need to read and understand to achieve my goal?

More information about the Swan mailing list