[Swan] routing across two tunnels
Bob Miller
bob at computerisms.ca
Thu Jun 11 06:18:25 EEST 2015
Hi Nick,
thanks for your reply, and I apologize for my tardy response.
> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
> 192.168.0.0/24? I don't know the Windows client (or any ikev2 details
> therefore my knowledge is entirely theoretical)so I don't know if you
> can use left/rightsubnets in Libreswan or if you have to define two
> different tunnels.
>
> Similarly you will need a tunnel with subnets from 10.25.0.0/24 and
> 192.168.25.0/24. When negotiating these tunnels with the Sonicwall, do
> you see both coming up? Again, if the Sonicwall can't cope you may also
> need to define two separate tunnels from Libreswan.
hm. I think I see where you are going with this... the answer is that I
have attempted to make such a tunnel with a passthrough conn, but I do
not have a 3rd dedicated tunnel from roadwarrior to sonicwall. If I did
have a dedicated tunnel like that, would libreswan not then connect to
that tunnel and make the LAN and internet inaccessible? What I have
(non-network details trimmed):
conn lan2sonic
left=199.247.233.69
leftsubnet=192.168.25.0/24
leftnexthop=%defaultroute
right=184.69.103.190
rightsubnet=192.168.0.0/24
rightnexthop=%defaultroute
conn rw-ikev2
left=199.247.233.69
leftsubnet=0.0.0.0/0
right=%any
rightaddresspool=10.25.0.2-10.25.0.20
A note regarding leftsubnet=0.0.0.0/0: this being my first attempt at
ikev2, I found that the way I did it with l2tp (setting left subnet to
be that of LAN and setting up iptables for forwarding) was insufficient.
I forget what details I tripped on that clued me into trying
0.0.0.0/0, but when I did, internet works for roadwarriors without split
tunnelling. If I just set leftsubnet=192.168.25.0/24, I get connection
to the LAN, but no internet.
That said, I had no better success on a l2tp setup, but I was admittedly
less aggressive in my attempts to get that one working.
I tried a lot of variations, but one example of my attempt with a
passthrough conn:
conn rw-pass-vic
left=%any
leftsubnet=10.25.0.0/24
right=184.69.103.190
rightsubnet=192.168.0.0/24
I tried in conn lan2sonic using
leftsubnets=192.168.25.0/24, 10.25.0.0/24
I also tried in conn rw-ikev2 using
leftsubnets=0.0.0.0/0, 192.168.0.0/24
Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0, and the
packets find their way to the 192.168.25.0/24 network, I kind of think
that packets for 192.168.0.0/24 should similarly find their way on to
the tunnel destined for the sonicwall, but tcpdump shows they head out
to the internet. Since my expectations were not met, I have just been
trying stuff, hoping to make the light bulb go on. maybe I have had my
conns right, but some other variable wrong. This is why I am hoping to
gain a better understanding of what is supposed to happen, maybe then I
can figure out how to get there...
> From a different angle, what is your roadwarrior's local LAN subnet
> when performing these tests? If is 192.168.0.0/24 then you have a big
> issue as both the local and (very) remote subnets are the same.
My roadwarrior is across the internet in a subnet 192.168.26.0/24, so
should be no conflict there...
Thanks again for your response, Nick, really appreciate it...
>
> Regards,
>
> Nick
>
> On 2015-06-07 01:23, Bob Miller wrote:
>> Hi,
>>
>> I am not sure if I am being dense and not seeing what is there, or if
>> what I am looking for really isn't there.
>>
>> I have a firewall running libreswan that has an ipsec/psk net2net
>> tunnel configured between it and a sonicwall device. This firewall
>> also has multiple road warriors connecting to the local network behind
>> it. Remote windows machines are configured with ikev2.
>>
>> the gist:
>> 192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
>> 10.25.0.0/24(roadwarriors)<=^ ^=>Internet
>>
>> each segment works fine;
>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>> RW<=>LAN, RW<=>Internet works great.
>> remotelan<=>internet doesn't work, which is great.
>>
>> Now I want the roadwarriors to access the remote lan, but I can't seem
>> to figure it out.
>>
>> It happens I have another identical situation, with the singular
>> difference that the road warriors are connecting via l2tp. I have
>> tried to get the same thing working on that one in the hopes that
>> something about l2tp would magically work and grant me understanding.
>>
>> I have been at it for a while now, it would be tough to list all I
>> have done, but generally I started at iptables, thinking it would be a
>> simple forwarding thing. I made sure I wasn't nat'ing my traffic,
>> forward rules are in place, etc. maybe there is a problem there, but
>> I don't see it if there is.
>>
>> Next I played with left/rightsubnets (as opposed to singular subnet)
>> as per what I found in the ipsec.conf man page. I think I tried every
>> combination at least twice, but nothing changed there.
>>
>> I looked through more of the docs. I found passthrough conns, which
>> seem like what I might want, but the only examples I can find are for
>> extruded subnets, where one side is a smaller subset of a larger
>> subnet on the other side. regardless, tried a bunch of ways to make
>> that work but no success. I also looked through the multi-net
>> examples, but those seem related to klips, and I think I need to find
>> and study the context of those examples to get value from them...
>>
>> On google, I found a limited number of posts that discuss the topic.
>> In the posts that seemed relevant, I could follow the discussion, but
>> in no cases could I translate the examples to a working config on this
>> firewall.
>>
>> I am not afraid to read and try and figure it out on my own, but I
>> don't think I am reading the right stuff. or if I am I haven't
>> recognized it yet. could someone kindly point me at the definitive
>> thing I need to read and understand to achieve my goal?
More information about the Swan
mailing list