[Swan] How to handle multiple networks on both ends?

Xinwei Hong xhong at skytap.com
Fri Jan 20 07:22:27 UTC 2017 

Thank you very much. I understand the sourceip part now. Also, I understand
I can bring up/down connections using the method you mentioned.

Let's say my ipsec.conf has a conn test1 configured between two subnets.
The ipsec.conf is loaded by pluto and everything is working. After
sometime, we decide to add another subnet pair between the same endpoints.
I need add a new snippet for "conn test2" into ipsec.conf. If I do
"ip auto --add test2", will it actually work? Does pluto reload ipsec.conf
file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn
test1 get re-established? We don't want to interrupt tunnel for conn test1.

Thanks,
Xinwei

On Thu, Jan 19, 2017 at 8:48 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 19 Jan 2017, Xinwei Hong wrote:
>
> Another question. If I have multiple networks on both side of the ipsec
>> tunnel, I assume we would need use leftsubnets/rightsubnets to specify
>> multiple networks. However, in my last email, we found that
>> leftsourceip/rightsourceip are required. Since we have multiple networks
>> now, what address should be used as the sourceip?
>>
>
> If you need to access more remote subnets on the remote end from the
> local server itself, you have two choices:
>
> - Add host-subnet connections, like:
>
> conn subnet1
>         left=a.b.c.d
>         right=.e.f.g.h
>         leftsubnet=X.0.0.0/8,Y.0.0.0/8
>         rightsubnet=W.0.0.0/8,Z.0.0.0/0
>         [...]
>
> conn host-subnet1
>         left=a.b.c.d
>         right=.e.f.g.h
>         rightsubnet=W.0.0.0/8
>         [...]
>
> conn host-subnet2
>         left=a.b.c.d
>         right=.e.f.g.h
>         rightsubnet=Z.0.0.0/8
>         [...]
>
> This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
> and the ipsec server to both subnets.
>
> Since you now have tunnels where your public ip (nearest to the remote
> subnet) is part of an IPsec tunnel, your connections will work without
> needing sourceip=
>
> The alternative is to split the subnetS conn into 4 different
> subnet to subnet tunnels, and specifying the leftsourceip=
> But that only makes sense if you have an IP from those local
> subnets specified on the machine itself. Again, if you are just
> routing those subnets locally to another machine, sourceip= is
> not needed.
>
> Also, with our current setting using racoon, we can add/remove subnets on
>> the fly once the tunnel is established. We just do some spdadd to tell the
>> tunnel new subnets. To do the same thing, do we have to make change to
>> ipsec.conf file and restart pluto daemon now? We want the existing
>> connections uninterrupted.
>>
>
> If you use separate conns, then you can simply run:
>
> ipsec auto --add connXXX
> ipsec auto --up connXXX
> ipsec auto --down connXXX
> ipsec auto --delete connXXX
>
> to manually add/remove them. If you use the subnetS= contruct, then
> you will see numbered conns appearing. For example:
>
> conn test
>         left=a.b.c.d
>         right=.e.f.g.h
>         leftsubnet=X.0.0.0/8,Y.0.0.0/8
>         rightsubnet=W.0.0.0/8,Z.0.0.0/0
>         [...]
>
> when this connections is added and brougt up using --add and --up,
> you will see in "ipsec status"
>
> conn test1x1
> conn test1x2
> conn test2x1
> conn test2x2
>
> You can treat those as regular conns, so you can do:
>
> ipsec auto --delete test2x1
>
> Note that if you use DPD, and the base connection gets restarted,
> it will re-add this deleted conn again.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170119/999d7901/attachment.html>

More information about the Swan mailing list