[Swan] How to handle multiple networks on both ends?

Paul Wouters paul at nohats.ca
Fri Jan 20 04:48:05 UTC 2017 

On Thu, 19 Jan 2017, Xinwei Hong wrote:

> Another question. If I have multiple networks on both side of the ipsec
> tunnel, I assume we would need use leftsubnets/rightsubnets to specify
> multiple networks. However, in my last email, we found that
> leftsourceip/rightsourceip are required. Since we have multiple networks
> now, what address should be used as the sourceip?

If you need to access more remote subnets on the remote end from the
local server itself, you have two choices:

- Add host-subnet connections, like:

conn subnet1
 	left=a.b.c.d
 	right=.e.f.g.h
 	leftsubnet=X.0.0.0/8,Y.0.0.0/8
 	rightsubnet=W.0.0.0/8,Z.0.0.0/0
 	[...]

conn host-subnet1
 	left=a.b.c.d
 	right=.e.f.g.h
 	rightsubnet=W.0.0.0/8
 	[...]

conn host-subnet2
 	left=a.b.c.d
 	right=.e.f.g.h
 	rightsubnet=Z.0.0.0/8
 	[...]

This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
and the ipsec server to both subnets.

Since you now have tunnels where your public ip (nearest to the remote
subnet) is part of an IPsec tunnel, your connections will work without
needing sourceip=

The alternative is to split the subnetS conn into 4 different
subnet to subnet tunnels, and specifying the leftsourceip=
But that only makes sense if you have an IP from those local
subnets specified on the machine itself. Again, if you are just
routing those subnets locally to another machine, sourceip= is
not needed.

> Also, with our current setting using racoon, we can add/remove subnets on
> the fly once the tunnel is established. We just do some spdadd to tell the
> tunnel new subnets. To do the same thing, do we have to make change to
> ipsec.conf file and restart pluto daemon now? We want the existing
> connections uninterrupted.

If you use separate conns, then you can simply run:

ipsec auto --add connXXX
ipsec auto --up connXXX
ipsec auto --down connXXX
ipsec auto --delete connXXX

to manually add/remove them. If you use the subnetS= contruct, then
you will see numbered conns appearing. For example:

conn test
 	left=a.b.c.d
 	right=.e.f.g.h
 	leftsubnet=X.0.0.0/8,Y.0.0.0/8
 	rightsubnet=W.0.0.0/8,Z.0.0.0/0
 	[...]

when this connections is added and brougt up using --add and --up,
you will see in "ipsec status"

conn test1x1
conn test1x2
conn test2x1
conn test2x2

You can treat those as regular conns, so you can do:

ipsec auto --delete test2x1

Note that if you use DPD, and the base connection gets restarted,
it will re-add this deleted conn again.

Paul

More information about the Swan mailing list