[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Matt Rogers
mrogers at redhat.com
Thu Feb 11 14:48:07 UTC 2016
----- Original Message -----
> From: "Jacob Vind" <libreswan at harm.dk>
> To: swan at lists.libreswan.org
> Sent: Thursday, February 11, 2016 7:59:01 AM
> Subject: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
>
> Hi,
>
> I really hope we can get some help, we are trying to set up a
> subnet-to-subnet Libreswan based IPSEC connection between two sites of
> ours. But we are having problems with it, we can get it to startup and
> working for a while (time varies from few minutes to hours). I hope
> someone will help review the config and log and come with suggestions.
>
> First a simple network diagram of the setup can be seen here:
> https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
>
> I figure that might make it easier to understand the setup. As you can
> see we operate with two private subnets on each side. Below are librewan
> config from left and right side (just edited so the public IP is not
> visible and not the entire key):
>
>
> LEFT:
>
> --- BEGIN ---
> conn adsubnets
> also=sj-dtu-tunnel
> leftsubnet=172.16.1.0/24
> leftsourceip=172.16.1.253
> rightsubnet=172.16.0.0/24
> rightsourceip=172.16.0.253
> forceencaps=yes
> nat-keepalive=yes
>
> conn sj-dtu-tunnel
> leftid=@SJ
> left=192.168.3.212
> leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
> rightid=@DTU
> right=77.X.X.X
> rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
> authby=rsasig
> # load and initiate automatically
> auto=start
> --- END ---
>
> The default gw of this machine is 192.168.3.254
>
>
> RIGHT:
>
>
> --- BEGIN ---
> conn adsubnets
> also=sj-dtu-tunnel
> leftsubnet=172.16.1.0/24
> leftsourceip=172.16.1.253
> rightsubnet=172.16.0.0/24
> rightsourceip=172.16.0.253
> forceencaps=yes
> nat-keepalive=yes
>
> conn sj-dtu-tunnel
> leftid=@SJ
> left=70.X.X.X
> leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
> rightid=@DTU
> right=192.168.13.238
> rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
> authby=rsasig
> # load and initiate automatically
> auto=start
> --- END ---
>
You should try adding DPD settings to your config. Specifically
dpdaction=restart which will try to renegotiate if there's an
interruption that goes past the dpdtimeout value.
Regards,
Matt
More information about the Swan
mailing list