[Swan] How to handle multiple networks on both ends?

Xinwei Hong xhong at skytap.com
Mon Jan 23 07:00:25 UTC 2017 

Hi Paul,

One follow-up question. Assume we have conn1 and conn2 (or probably more
conn's), they both using same endpoints for tunnel, but will support
different subnet pairs. We want to bring up/down individual conn freely.
All conns should share the same phase 1 IKE tunnel. How do we guarantee
that?
I tried to put left/right/ike into
conn %default
    left=a.b.c.d
    right=e.f.g.h
    ike=xxxxx
    phase2alg=....

conn conn1
    leftsubnet=x.x.x.x/24
    rightsubnet=y.y.y.y/24

conn conn2
    leftsubnet=v.v.v.v/24
    rightsubnet=w.w.w.w/24

When I do "ip xfrm state", it returns 8 entries, similar to:

src 10.2.128.170 dst 10.2.128.171
proto esp spi 0x90c639bd reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3438409b19952d08acf41b4c7d8fec1b845a5567 96
enc cbc(aes) 0x860183c7fb90aaa9c52c03eaf853c749
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

with diffenent spi.

with only conn1 or conn2, it return 4 entries.

Why does it have 8 entries? Does it mean multiple IKE tunnels were created?


Thanks,
Xinwei



On Fri, Jan 20, 2017 at 1:21 PM, Xinwei Hong <xhong at skytap.com> wrote:

> I tried it. It looks like "ip auto --add test2" will reload config file
> and pluto process does not restart.
>
> Thanks,
> Xinwei
>
> On Thu, Jan 19, 2017 at 11:22 PM, Xinwei Hong <xhong at skytap.com> wrote:
>
>> Thank you very much. I understand the sourceip part now. Also, I
>> understand I can bring up/down connections using the method you mentioned.
>>
>> Let's say my ipsec.conf has a conn test1 configured between two subnets.
>> The ipsec.conf is loaded by pluto and everything is working. After
>> sometime, we decide to add another subnet pair between the same endpoints.
>> I need add a new snippet for "conn test2" into ipsec.conf. If I do
>> "ip auto --add test2", will it actually work? Does pluto reload
>> ipsec.conf file? Does ip auto cause pluto to restart? Do the phase 1 tunnel
>> and conn test1 get re-established? We don't want to interrupt tunnel for
>> conn test1.
>>
>> Thanks,
>> Xinwei
>>
>> On Thu, Jan 19, 2017 at 8:48 PM, Paul Wouters <paul at nohats.ca> wrote:
>>
>>> On Thu, 19 Jan 2017, Xinwei Hong wrote:
>>>
>>> Another question. If I have multiple networks on both side of the ipsec
>>>> tunnel, I assume we would need use leftsubnets/rightsubnets to specify
>>>> multiple networks. However, in my last email, we found that
>>>> leftsourceip/rightsourceip are required. Since we have multiple networks
>>>> now, what address should be used as the sourceip?
>>>>
>>>
>>> If you need to access more remote subnets on the remote end from the
>>> local server itself, you have two choices:
>>>
>>> - Add host-subnet connections, like:
>>>
>>> conn subnet1
>>>         left=a.b.c.d
>>>         right=.e.f.g.h
>>>         leftsubnet=X.0.0.0/8,Y.0.0.0/8
>>>         rightsubnet=W.0.0.0/8,Z.0.0.0/0
>>>         [...]
>>>
>>> conn host-subnet1
>>>         left=a.b.c.d
>>>         right=.e.f.g.h
>>>         rightsubnet=W.0.0.0/8
>>>         [...]
>>>
>>> conn host-subnet2
>>>         left=a.b.c.d
>>>         right=.e.f.g.h
>>>         rightsubnet=Z.0.0.0/8
>>>         [...]
>>>
>>> This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
>>> and the ipsec server to both subnets.
>>>
>>> Since you now have tunnels where your public ip (nearest to the remote
>>> subnet) is part of an IPsec tunnel, your connections will work without
>>> needing sourceip=
>>>
>>> The alternative is to split the subnetS conn into 4 different
>>> subnet to subnet tunnels, and specifying the leftsourceip=
>>> But that only makes sense if you have an IP from those local
>>> subnets specified on the machine itself. Again, if you are just
>>> routing those subnets locally to another machine, sourceip= is
>>> not needed.
>>>
>>> Also, with our current setting using racoon, we can add/remove subnets on
>>>> the fly once the tunnel is established. We just do some spdadd to tell
>>>> the
>>>> tunnel new subnets. To do the same thing, do we have to make change to
>>>> ipsec.conf file and restart pluto daemon now? We want the existing
>>>> connections uninterrupted.
>>>>
>>>
>>> If you use separate conns, then you can simply run:
>>>
>>> ipsec auto --add connXXX
>>> ipsec auto --up connXXX
>>> ipsec auto --down connXXX
>>> ipsec auto --delete connXXX
>>>
>>> to manually add/remove them. If you use the subnetS= contruct, then
>>> you will see numbered conns appearing. For example:
>>>
>>> conn test
>>>         left=a.b.c.d
>>>         right=.e.f.g.h
>>>         leftsubnet=X.0.0.0/8,Y.0.0.0/8
>>>         rightsubnet=W.0.0.0/8,Z.0.0.0/0
>>>         [...]
>>>
>>> when this connections is added and brougt up using --add and --up,
>>> you will see in "ipsec status"
>>>
>>> conn test1x1
>>> conn test1x2
>>> conn test2x1
>>> conn test2x2
>>>
>>> You can treat those as regular conns, so you can do:
>>>
>>> ipsec auto --delete test2x1
>>>
>>> Note that if you use DPD, and the base connection gets restarted,
>>> it will re-add this deleted conn again.
>>>
>>> Paul
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170122/d7c9b015/attachment.html>

More information about the Swan mailing list