[Swan] no work - Subnet extrusion - in CentOS 6.8

Paul Wouters paul at nohats.ca
Mon Jul 25 07:58:24 UTC 2016


On Mon, 25 Jul 2016, Sergey Mihailov wrote:

> ---
> conn mytunnel
>     leftid=@off1.net.prn.int
>     left=192.168.121.17
>     leftsourceip=192.168.129.254
>     leftsubnets={192.168.129.0/24 192.168.128.0/24} # <--- ? (subnets)

Do not use XXXsourceip= when using XXXsubnetS= because the sourceip can only
refer to one submit.

Why are you not using 192.168.128/23 insteaf of 192.168.129.0/24 +
192.168.128.0/24 ?

> conn 129-exclude
>     left=0.0.0.0 # <---- ? (left)
>     leftsubnet=192.168.129.0/24
>     right=192.168.129.254
>     rightsubnet=192.168.129.0/24
>     authby=never
>     type=passthrough
>     auto=route
> 
> conn 128-exclude
>     left=192.168.128.250
>     leftsubnet=192.168.128.0/24
>     right=0.0.0.0  # <----- ? (right)
>     rightsubnet=192.168.128.0/24
>     authby=never
>     type=passthrough
>     auto=route

Seems okay,

> 
> No really works in CentOS 6.8 + updates.
> I see : https://libreswan.org/wiki/Subnet_extrusion
> ...
> 
> conn branch1 # <--- ? ( branch1 )
>     left=1.2.3.4
>     leftid=@headoffice
>     leftsubnet=0.0.0.0/0
>     leftrsasigkey=0sA[...]
>     #
>     right=10.11.12.13
>     rightid=@branch2 # <---- ? ( branch2 )
>     righsubnet=10.0.1.0/24
>     rightrsasigkey=0sAYYYY[...]
>     #
>     auto=start
>     authby=rsasigkey
> 
> conn passthrough
>     left=1.2.3.4  # <--- ? ( from headoffice)

The passthrough goes on your branch office. In this case left= is the
branch and right is the world. So left should be a local ip on your
branch IPsec gateway. You could probably use left=%defaultroute.

>     right=0.0.0.0
>     leftsubnet=10.0.1.0/24 # <--- ? ( from brach2 )
>     rightsubnet=10.0.1.0/24

Yes left and right subnet are the same. It should be the local network.
Once you have the real ipsec connection from your local networks to
"everything" installed, you need to exclude traffic from the local
network to the local network to remain local and not be sent to the
remote location. So this is that override.

>     authby=never
>     type=passthrough
>     auto=route

Paul


More information about the Swan mailing list