[Swan] Roadwarriors Setup With Routing
Paul Wouters
paul at nohats.ca
Sat Oct 28 09:15:28 UTC 2017
On Wed, 25 Oct 2017, Nirvana wrote:
> This is first time I have used Libreswan so if I misunderstand anything, please let me know. I am attempting to
> setup something similar to a roadwarriors configuration. It looks like this:
>
>
> mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static IP) NAT <---------> server <-------->
> internal gateway <--------> internal networks
>
> My goal is to have the mobile client be able to communicate with the multiple internal networks by utilizing
> static routes. So far I have only been successful getting the client to be able to talk to one internal network at
> time. I haven't had any authentication issues.
> Here is the configuration I have :
>
> Server:
> conn roadwarriors2
> ikev2=insist
> fragmentation=yes
> left=192.168.9.11
> leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24}
> leftcert=server
> leftid=external_static_ip #real IP removed
> leftxauthserver=yes
> leftmodecfgserver=yes
> right=%any
> rightca=%same
> rightaddresspool=192.168.9.12-192.168.9.14
I am not sure if we support multiple subnets with addresspool. That
requires that three connections are instantiated to the CP assigned
IP on the client.
> I have been adding static routes on the client after the VPN is made (e.g. ip route add 192.168.3.0/24 dev vti9).
> It appears to be the case that whatever network is listed first under leftsubnets directive on the server is the
> only network the client can communicate with.
Yes, my guess is that you will only get one IPsec SA.
> Regarding the vti9 already exists entry: it appears that Libreswan doesn't remove the interface when exiting which
> is why I think it is "in use". I have been able to remove it manually using "ip link delete vti9".
It's a side-effect of us not fully supporting this scenario. You would
have to put in vti-sharing=yes and it should stop showing errors.
> Does anyone have any suggestions? Am I utilizing Libreswan wrong and instead should be running L2TP over
> Libreswan? If you need more information, I will gladly provide it.
No don't do L2TP
You could either try splitting your conn into 3, and setting up 3
independent tunnels.
Or you can set up one for 0.0.0.0/0 on the server, install firewall rules
there to limit traffic to the three networks, and give the client a custom
leftupdown= script that only routes those 3 subnets into the single VTI
device.
Paul
More information about the Swan
mailing list