[Swan] routing across two tunnels

Bob Miller bob at computerisms.ca
Thu Jun 11 06:18:25 EEST 2015


Hi Nick,

thanks for your reply, and I apologize for my tardy response.

> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
> 192.168.0.0/24? I don't know the Windows client (or any ikev2 details
> therefore my knowledge is entirely theoretical)so I don't know if you
> can use left/rightsubnets in Libreswan or if you have to define two
> different tunnels.
>
> Similarly you will need a tunnel with subnets from 10.25.0.0/24 and
> 192.168.25.0/24. When negotiating these tunnels with the Sonicwall, do
> you see both coming up? Again, if the Sonicwall can't cope you may also
> need to define two separate tunnels from Libreswan.

hm.  I think I see where you are going with this... the answer is that I 
have attempted to make such a tunnel with a passthrough conn, but I do 
not have a 3rd dedicated tunnel from roadwarrior to sonicwall.  If I did 
have a dedicated tunnel like that, would libreswan not then connect to 
that tunnel and make the LAN and internet inaccessible?  What I have 
(non-network details trimmed):

conn lan2sonic
    left=199.247.233.69
    leftsubnet=192.168.25.0/24
    leftnexthop=%defaultroute
    right=184.69.103.190
    rightsubnet=192.168.0.0/24
    rightnexthop=%defaultroute

conn rw-ikev2
    left=199.247.233.69
    leftsubnet=0.0.0.0/0
    right=%any
    rightaddresspool=10.25.0.2-10.25.0.20

A note regarding leftsubnet=0.0.0.0/0: this being my first attempt at 
ikev2, I found that the way I did it with l2tp (setting left subnet to 
be that of LAN and setting up iptables for forwarding) was insufficient. 
  I forget what details I tripped on that clued me into trying 
0.0.0.0/0, but when I did, internet works for roadwarriors without split 
tunnelling.  If I just set leftsubnet=192.168.25.0/24, I get connection 
to the LAN, but no internet.

That said, I had no better success on a l2tp setup, but I was admittedly 
less aggressive in my attempts to get that one working.

I tried a lot of variations, but one example of my attempt with a 
passthrough conn:

conn rw-pass-vic
    left=%any
    leftsubnet=10.25.0.0/24
    right=184.69.103.190
    rightsubnet=192.168.0.0/24

I tried in conn lan2sonic using

leftsubnets=192.168.25.0/24, 10.25.0.0/24

I also tried in conn rw-ikev2 using

leftsubnets=0.0.0.0/0, 192.168.0.0/24

Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0, and the 
packets find their way to the 192.168.25.0/24 network, I kind of think 
that packets for 192.168.0.0/24 should similarly find their way on to 
the tunnel destined for the sonicwall, but tcpdump shows they head out 
to the internet.  Since my expectations were not met, I have just been 
trying stuff, hoping to make the light bulb go on. maybe I have had my 
conns right, but some other variable wrong.  This is why I am hoping to 
gain a better understanding of what is supposed to happen, maybe then I 
can figure out how to get there...

>  From a different angle, what is your roadwarrior's local LAN subnet
> when performing these tests? If is 192.168.0.0/24 then you have a big
> issue as both the local and (very) remote subnets are the same.

My roadwarrior is across the internet in a subnet 192.168.26.0/24, so 
should be no conflict there...

Thanks again for your response, Nick, really appreciate it...

>
> Regards,
>
> Nick
>
> On 2015-06-07 01:23, Bob Miller wrote:
>> Hi,
>>
>> I am not sure if I am being dense and not seeing what is there, or if
>> what I am looking for really isn't there.
>>
>> I have a firewall running libreswan that has an ipsec/psk net2net
>> tunnel configured between it and a sonicwall device.  This firewall
>> also has multiple road warriors connecting to the local network behind
>> it. Remote windows machines are configured with ikev2.
>>
>> the gist:
>> 192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
>> 10.25.0.0/24(roadwarriors)<=^ ^=>Internet
>>
>> each segment works fine;
>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>> RW<=>LAN, RW<=>Internet works great.
>> remotelan<=>internet doesn't work, which is great.
>>
>> Now I want the roadwarriors to access the remote lan, but I can't seem
>> to figure it out.
>>
>> It happens I have another identical situation, with the singular
>> difference that the road warriors are connecting via l2tp.  I have
>> tried to get the same thing working on that one in the hopes that
>> something about l2tp would magically work and grant me understanding.
>>
>> I have been at it for a while now, it would be tough to list all I
>> have done, but generally I started at iptables, thinking it would be a
>> simple forwarding thing.  I made sure I wasn't nat'ing my traffic,
>> forward rules are in place, etc.  maybe there is a problem there, but
>> I don't see it if there is.
>>
>> Next I played with left/rightsubnets (as opposed to singular subnet)
>> as per what I found in the ipsec.conf man page.  I think I tried every
>> combination at least twice, but nothing changed there.
>>
>> I looked through more of the docs.  I found passthrough conns, which
>> seem like what I might want, but the only examples I can find are for
>> extruded subnets, where one side is a smaller subset of a larger
>> subnet on the other side.  regardless, tried a bunch of ways to make
>> that work but no success.  I also looked through the multi-net
>> examples, but those seem related to klips, and I think I need to find
>> and study the context of those examples to get value from them...
>>
>> On google, I found a limited number of posts that discuss the topic.
>> In the posts that seemed relevant, I could follow the discussion, but
>> in no cases could I translate the examples to a working config on this
>> firewall.
>>
>> I am not afraid to read and try and figure it out on my own, but I
>> don't think I am reading the right stuff.  or if I am I haven't
>> recognized it yet.  could someone kindly point me at the definitive
>> thing I need to read and understand to achieve my goal?


More information about the Swan mailing list