[Swan] Host to subnet setup ?

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Thu Mar 31 15:39:00 UTC 2016

On Thu, Mar 31, 2016 at 04:24:13PM +0100, Glenn Pierce wrote:
> Hi
> I am new to libreswan and I am having a little trouble with the config.
> Bascally I want to accesss a private network from a
> public server. Ie
> Host to subnet but I can find examples for that setup.
> The public server is a standard Linux server (Centos7). The private
> network will have a MiKroTik router as the VPN Gateway.
> Before setting up for real I am testing at my house. So I have the
> added complication of being stuck behind my isp router.
> I have placed the MiKroTik router (first gateway) in a DMZ and
> configured my home isp router to forward all traffic to the
> MiKroTik gateway.

Forwarding is still NAT and IPsec generally HATES NAT.

At least make sure you have configured everything for the fact you are
going through NAT on one end.  This probably means you need to use RSA
keys or certificates and not IP addresses to identify the connection on
each end, since the IP of your MiKroTik is not actually the IP that the
centos server sees traffic coming from.

> The following image shows this setup better
> I have started with a site to site config and have something like this
> conn tunnel
>     left=       # External isp assigned address
>     right=         # Public server IP
>     authby=secret
>     # load and initiate automatically
>     auto=start
> conn private
>     also=tunnel
>     leftsubnet=             # Private network side of
> Mikrotik router
>     rightsubnet=   # "Public" size of Mikrotik router
> conn server
>     also=tunnel
> So is the external ip of the MikroTik router (assigned
> from my ISP router)
> I just get lots of STATE_MAIN_I3: retransmission; will wait 500ms for
> response etc
> when bringing up the connection.
> I sure I should have more in the conn server section as well.
> Any advice would be great thanks.

Len Sorensen

More information about the Swan mailing list