[Swan] subnet behind libreswan host without ip in it
Paul Wouters
paul at nohats.ca
Wed Mar 1 21:10:34 UTC 2017
On Wed, 1 Mar 2017, Christoph wrote:
> I have here a tunnel between libreswan 3.15 and cisco asa (9.1). For the
> network where the libreswan has an ip inside it does work goos, but I have a
> network 'behind' libreswan host and if I ping to it, the tunnel doesnt go
> online.
That most likely relates to firewalling, forwarding, rp_filter, etc.
> config setup
> protostack=netkey
> listen=$STATIC_INET_IP
In general, I would not use the listen= argument and let libreswan
listen to ANY. But that's unrelated to your issue.
> conn home
> ike=aes256-sha256;modp1024
> esp=aes256-sha1;modp1024
> initial_contact=yes
> aggrmode=yes
> authby=secret
> left=$STATIC_INET_IP
> leftid=$STATIC_INET_IP
> leftsourceip=192.168.55.1
> remote_peer_type=cisco
> right=$MY_DYNDNS_ON_CISCO_ASA
> rightid=192.168.40.2
> right=%any
> salifetime=24h
> ikelifetime=24h
> dpdaction=restart
> dpdtimeout=60
> dpddelay=30
> ikev2=insist
> disablearrivalcheck=no
> auto=start
>
> conn chao5.int-bio
> also=home
> leftsubnet=10.0.0.0/8
> rightsubnet=192.168.50.0/24
>
> conn chao5.int-behemoth
> also=home
> leftsubnet=192.168.55.0/24
> rightsubnet=192.168.50.0/24
Since you are using also=home, you cannot specify leftsourceip= since
that only makes sense if leftsourceip= is part of leftsubnet. And
for subnets "behind" the libreswan server, I assume you have no
sourceip and you get those packets via routing.
Do not use remote_peer_type=cisco unless using XAUTH.
Use dpdaction=hold (especially on older libreswan versions) to avoid
a packet leak.
disablearrivalcheck= is KLIPS only - you can and should remove it.
Note you say "on demand" but you have auto=start, meaning the tunnels
should immediatelly all come up without needing a packet trigger.
And since auto=start is in the conn home, you will have 3 tunnels
that are trying to get established, while I think the cisco has
not non-subnet configuration for you. So I would move the auto=start
to inside chao5.int-bio and chao5.int-behemoth
> what can be the problem?
I'd have to see the logs, or the output of:
ipsec auto --replace home
ipsec auto --replace chao5.int-bio
ipsec auto --replace chao5.int-behemoth
ipsec auto --up chao5.int-bio
ipsec auto --up chao5.int-behemoth
Paul
More information about the Swan
mailing list