[Swan] subnet behind libreswan host without ip in it

Paul Wouters paul at nohats.ca
Wed Mar 1 21:10:34 UTC 2017


On Wed, 1 Mar 2017, Christoph wrote:

> I have here a tunnel between libreswan 3.15 and cisco asa (9.1). For the 
> network where the libreswan has an ip inside it does work goos, but I have a 
> network 'behind' libreswan host and if I ping to it, the tunnel doesnt go 
> online.

That most likely relates to firewalling, forwarding, rp_filter, etc.

> config setup
>   protostack=netkey
>   listen=$STATIC_INET_IP

In general, I would not use the listen= argument and let libreswan
listen to ANY. But that's unrelated to your issue.

> conn home
> 	 ike=aes256-sha256;modp1024
> 	          esp=aes256-sha1;modp1024
> 	 initial_contact=yes
> 	 aggrmode=yes
> 	 authby=secret
> 	 left=$STATIC_INET_IP
> 	 leftid=$STATIC_INET_IP
> 	 leftsourceip=192.168.55.1
> 	 remote_peer_type=cisco
> 	 right=$MY_DYNDNS_ON_CISCO_ASA
> 	 rightid=192.168.40.2
> 	 right=%any
> 	 salifetime=24h
> 	 ikelifetime=24h
> 	 dpdaction=restart
> 	 dpdtimeout=60
> 	 dpddelay=30
> 	 ikev2=insist
> 	 disablearrivalcheck=no
> 	 auto=start
>
> conn chao5.int-bio
> 	 also=home
> 	 leftsubnet=10.0.0.0/8
> 	 rightsubnet=192.168.50.0/24
>
> conn chao5.int-behemoth
> 	 also=home
> 	 leftsubnet=192.168.55.0/24
> 	 rightsubnet=192.168.50.0/24

Since you are using also=home, you cannot specify leftsourceip= since
that only makes sense if leftsourceip= is part of leftsubnet. And
for subnets "behind" the libreswan server, I assume you have no
sourceip and you get those packets via routing.

Do not use remote_peer_type=cisco unless using XAUTH.

Use dpdaction=hold (especially on older libreswan versions) to avoid
a packet leak.

disablearrivalcheck= is KLIPS only - you can and should remove it.

Note you say "on demand" but you have auto=start, meaning the tunnels
should immediatelly all come up without needing a packet trigger.

And since auto=start is in the conn home, you will have 3 tunnels
that are trying to get established, while I think the cisco has
not non-subnet configuration for you. So I would move the auto=start
to inside chao5.int-bio and chao5.int-behemoth

> what can be the problem?

I'd have to see the logs, or the output of:

ipsec auto --replace home
ipsec auto --replace chao5.int-bio
ipsec auto --replace chao5.int-behemoth
ipsec auto --up chao5.int-bio
ipsec auto --up chao5.int-behemoth

Paul


More information about the Swan mailing list