[Swan] Roadwarriors Setup With Routing

Paul Wouters paul at nohats.ca
Sat Oct 28 09:15:28 UTC 2017 

On Wed, 25 Oct 2017, Nirvana wrote:

> This is first time I have used Libreswan so if I misunderstand anything, please let me know. I am attempting to
> setup something similar to a roadwarriors configuration. It looks like this:
> 
> 
> mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static IP) NAT <---------> server <-------->
> internal gateway <--------> internal networks
> 
> My goal is to have the mobile client be able to communicate with the multiple internal networks by utilizing
> static routes. So far I have only been successful getting the client to be able to talk to one internal network at
> time. I haven't had any authentication issues.

> Here is the configuration I have :
> 
> Server:
> conn roadwarriors2
>         ikev2=insist
>         fragmentation=yes
>         left=192.168.9.11
>         leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24}
>         leftcert=server
>         leftid=external_static_ip #real IP removed
>         leftxauthserver=yes
>         leftmodecfgserver=yes
>         right=%any
>         rightca=%same
>         rightaddresspool=192.168.9.12-192.168.9.14

I am not sure if we support multiple subnets with addresspool. That
requires that three connections are instantiated to the CP assigned
IP on the client.

> I have been adding static routes on the client after the VPN is made (e.g. ip route add 192.168.3.0/24 dev vti9).
> It appears to be the case that whatever network is listed first under leftsubnets directive on the server is the
> only network the client can communicate with.

Yes, my guess is that you will only get one IPsec SA.

> Regarding the vti9 already exists entry: it appears that Libreswan doesn't remove the interface when exiting which
> is why I think it is "in use". I have been able to remove it manually using "ip link delete vti9".

It's a side-effect of us not fully supporting this scenario. You would
have to put in vti-sharing=yes and it should stop showing errors.

> Does anyone have any suggestions? Am I utilizing Libreswan wrong and instead should be running L2TP over
> Libreswan? If you need more information, I will gladly provide it.

No don't do L2TP

You could either try splitting your conn into 3, and setting up 3
independent tunnels.

Or you can set up one for 0.0.0.0/0 on the server, install firewall rules
there to limit traffic to the three networks, and give the client a custom
leftupdown= script that only routes those 3 subnets into the single VTI
device.

Paul

More information about the Swan mailing list