[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks

Matt Rogers mrogers at redhat.com
Thu Feb 11 14:48:07 UTC 2016 


----- Original Message -----
> From: "Jacob Vind" <libreswan at harm.dk>
> To: swan at lists.libreswan.org
> Sent: Thursday, February 11, 2016 7:59:01 AM
> Subject: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
> 
> Hi,
> 
> I really hope we can get some help, we are trying to set up a
> subnet-to-subnet Libreswan based IPSEC connection between two sites of
> ours. But we are having problems with it, we can get it to startup and
> working for a while (time varies from few minutes to hours).  I hope
> someone will help review the config and log and come with suggestions.
> 
> First a simple network diagram of the setup can be seen here:
> https://www.evernote.com/l/AR8bgtmQgg5B0oT3ZWWdgQ2DL5_I-I7HqKA
> 
> I figure that might make it easier to understand the setup. As you can
> see we operate with two private subnets on each side. Below are librewan
> config from left and right side (just edited so the public IP is not
> visible and not the entire key):
> 
> 
> LEFT:
> 
> --- BEGIN ---
> conn adsubnets
>      also=sj-dtu-tunnel
>      leftsubnet=172.16.1.0/24
>      leftsourceip=172.16.1.253
>      rightsubnet=172.16.0.0/24
>      rightsourceip=172.16.0.253
>      forceencaps=yes
>      nat-keepalive=yes
> 
> conn sj-dtu-tunnel
>      leftid=@SJ
>      left=192.168.3.212
>      leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
>      rightid=@DTU
>      right=77.X.X.X
>      rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
>      authby=rsasig
>      # load and initiate automatically
>      auto=start
> --- END ---
> 
> The default gw of this machine is 192.168.3.254
> 
> 
> RIGHT:
> 
> 
> --- BEGIN ---
> conn adsubnets
>      also=sj-dtu-tunnel
>      leftsubnet=172.16.1.0/24
>      leftsourceip=172.16.1.253
>      rightsubnet=172.16.0.0/24
>      rightsourceip=172.16.0.253
>      forceencaps=yes
>      nat-keepalive=yes
> 
> conn sj-dtu-tunnel
>      leftid=@SJ
>      left=70.X.X.X
>      leftrsasigkey=0sAQOkPvSdH [...] NzpthMaVxQ==
>      rightid=@DTU
>      right=192.168.13.238
>      rightrsasigkey=0sAQOx3MfD [...] oJGYM1tc5cJB
>      authby=rsasig
>      # load and initiate automatically
>      auto=start
> --- END ---
> 

You should try adding DPD settings to your config. Specifically
dpdaction=restart which will try to renegotiate if there's an 
interruption that goes past the dpdtimeout value.

Regards,
Matt

More information about the Swan mailing list