[Swan] How to handle multiple networks on both ends?
Xinwei Hong
xhong at skytap.com
Fri Jan 20 21:21:46 UTC 2017
I tried it. It looks like "ip auto --add test2" will reload config file and
pluto process does not restart.
Thanks,
Xinwei
On Thu, Jan 19, 2017 at 11:22 PM, Xinwei Hong <xhong at skytap.com> wrote:
> Thank you very much. I understand the sourceip part now. Also, I
> understand I can bring up/down connections using the method you mentioned.
>
> Let's say my ipsec.conf has a conn test1 configured between two subnets.
> The ipsec.conf is loaded by pluto and everything is working. After
> sometime, we decide to add another subnet pair between the same endpoints.
> I need add a new snippet for "conn test2" into ipsec.conf. If I do
> "ip auto --add test2", will it actually work? Does pluto reload ipsec.conf
> file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn
> test1 get re-established? We don't want to interrupt tunnel for conn test1.
>
> Thanks,
> Xinwei
>
> On Thu, Jan 19, 2017 at 8:48 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Thu, 19 Jan 2017, Xinwei Hong wrote:
>>
>> Another question. If I have multiple networks on both side of the ipsec
>>> tunnel, I assume we would need use leftsubnets/rightsubnets to specify
>>> multiple networks. However, in my last email, we found that
>>> leftsourceip/rightsourceip are required. Since we have multiple networks
>>> now, what address should be used as the sourceip?
>>>
>>
>> If you need to access more remote subnets on the remote end from the
>> local server itself, you have two choices:
>>
>> - Add host-subnet connections, like:
>>
>> conn subnet1
>> left=a.b.c.d
>> right=.e.f.g.h
>> leftsubnet=X.0.0.0/8,Y.0.0.0/8
>> rightsubnet=W.0.0.0/8,Z.0.0.0/0
>> [...]
>>
>> conn host-subnet1
>> left=a.b.c.d
>> right=.e.f.g.h
>> rightsubnet=W.0.0.0/8
>> [...]
>>
>> conn host-subnet2
>> left=a.b.c.d
>> right=.e.f.g.h
>> rightsubnet=Z.0.0.0/8
>> [...]
>>
>> This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
>> and the ipsec server to both subnets.
>>
>> Since you now have tunnels where your public ip (nearest to the remote
>> subnet) is part of an IPsec tunnel, your connections will work without
>> needing sourceip=
>>
>> The alternative is to split the subnetS conn into 4 different
>> subnet to subnet tunnels, and specifying the leftsourceip=
>> But that only makes sense if you have an IP from those local
>> subnets specified on the machine itself. Again, if you are just
>> routing those subnets locally to another machine, sourceip= is
>> not needed.
>>
>> Also, with our current setting using racoon, we can add/remove subnets on
>>> the fly once the tunnel is established. We just do some spdadd to tell
>>> the
>>> tunnel new subnets. To do the same thing, do we have to make change to
>>> ipsec.conf file and restart pluto daemon now? We want the existing
>>> connections uninterrupted.
>>>
>>
>> If you use separate conns, then you can simply run:
>>
>> ipsec auto --add connXXX
>> ipsec auto --up connXXX
>> ipsec auto --down connXXX
>> ipsec auto --delete connXXX
>>
>> to manually add/remove them. If you use the subnetS= contruct, then
>> you will see numbered conns appearing. For example:
>>
>> conn test
>> left=a.b.c.d
>> right=.e.f.g.h
>> leftsubnet=X.0.0.0/8,Y.0.0.0/8
>> rightsubnet=W.0.0.0/8,Z.0.0.0/0
>> [...]
>>
>> when this connections is added and brougt up using --add and --up,
>> you will see in "ipsec status"
>>
>> conn test1x1
>> conn test1x2
>> conn test2x1
>> conn test2x2
>>
>> You can treat those as regular conns, so you can do:
>>
>> ipsec auto --delete test2x1
>>
>> Note that if you use DPD, and the base connection gets restarted,
>> it will re-add this deleted conn again.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170120/c3401c00/attachment.html>
More information about the Swan
mailing list