[Swan] Roadwarriors Setup With Routing
Nirvana
nirvana21 at gmail.com
Tue Oct 31 12:19:10 UTC 2017
On Sat, Oct 28, 2017 at 5:15 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 25 Oct 2017, Nirvana wrote:
>
> This is first time I have used Libreswan so if I misunderstand anything,
>> please let me know. I am attempting to
>> setup something similar to a roadwarriors configuration. It looks like
>> this:
>>
>>
>> mobile client <-----> NAT (dynamic IP) <-------- Internet -------->
>> (static IP) NAT <---------> server <-------->
>> internal gateway <--------> internal networks
>>
>> My goal is to have the mobile client be able to communicate with the
>> multiple internal networks by utilizing
>> static routes. So far I have only been successful getting the client to
>> be able to talk to one internal network at
>> time. I haven't had any authentication issues.
>>
>
> Here is the configuration I have :
>>
>> Server:
>> conn roadwarriors2
>> ikev2=insist
>> fragmentation=yes
>> left=192.168.9.11
>> leftsubnets={192.168.2.0/24 192.168.3.0/24 192.168.9.0/24}
>> leftcert=server
>> leftid=external_static_ip #real IP removed
>> leftxauthserver=yes
>> leftmodecfgserver=yes
>> right=%any
>> rightca=%same
>> rightaddresspool=192.168.9.12-192.168.9.14
>>
>
> I am not sure if we support multiple subnets with addresspool. That
> requires that three connections are instantiated to the CP assigned
> IP on the client.
>
> I have been adding static routes on the client after the VPN is made (e.g.
>> ip route add 192.168.3.0/24 dev vti9).
>> It appears to be the case that whatever network is listed first under
>> leftsubnets directive on the server is the
>> only network the client can communicate with.
>>
>
> Yes, my guess is that you will only get one IPsec SA.
>
> Regarding the vti9 already exists entry: it appears that Libreswan doesn't
>> remove the interface when exiting which
>> is why I think it is "in use". I have been able to remove it manually
>> using "ip link delete vti9".
>>
>
> It's a side-effect of us not fully supporting this scenario. You would
> have to put in vti-sharing=yes and it should stop showing errors.
>
> Does anyone have any suggestions? Am I utilizing Libreswan wrong and
>> instead should be running L2TP over
>> Libreswan? If you need more information, I will gladly provide it.
>>
>
> No don't do L2TP
>
> You could either try splitting your conn into 3, and setting up 3
> independent tunnels.
>
> Or you can set up one for 0.0.0.0/0 on the server, install firewall rules
> there to limit traffic to the three networks, and give the client a custom
> leftupdown= script that only routes those 3 subnets into the single VTI
> device.
>
> Paul
>
Thanks for the response! I am doing what you suggested (0.0.0.0/0 on server
and adding routes for VTI interface) and it appears to be working. For
instance I am able to add a functioning route using: ip r a 192.168.2.0/24
dev vti9 scope link src 192.168.9.12
However if I try to add routes using an updown script I am having an issue
where vti9 isn't up yet so I can't add the routes yet. Below is how I was
able to test that.
In the client config I added: leftupdown=/etc/ipsec.updown
and created that executable shell script with the following contents:
ip a
exit 0
I then started libreswan and this is what I see in the logs:
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 1: lo:
<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet
127.0.0.1/8 scope host lo
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
inet6 ::1/128 scope host
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 2:
enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet
10.0.0.226/16 brd 10.0.255.255 scope global dynamic enp1s0f1
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
valid_lft 560sec preferred_lft 560sec
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
inet6 fe80::82fa:5bff:fe25:1395/64 scope link
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 3:
virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet
192.168.122.1/24 brd 192.168.122.255 scope global virbr0
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 4:
virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0
state DOWN qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 5:
ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output:
link/ipip 0.0.0.0 brd 0.0.0.0
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 1: lo:
<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet
127.0.0.1/8 scope host lo
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet6
::1/128 scope host
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 2:
enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet
10.0.0.226/16 brd 10.0.255.255 scope global dynamic enp1s0f1
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
valid_lft 560sec preferred_lft 560sec
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet6
fe80::82fa:5bff:fe25:1395/64 scope link
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 3: virbr0:
<NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen
1000
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet
192.168.122.1/24 brd 192.168.122.255 scope global virbr0
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 4:
virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0
state DOWN qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 5:
ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
Oct 31 08:02:17 client pluto[3525]: "client": route-host output:
link/ipip 0.0.0.0 brd 0.0.0.0
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1:
initiating v2 parent SA
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1:
client IKE proposals for initial initiator (selecting KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536
(default)
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1:
STATE_PARENT_I1: sent v2I1, expected v2R1
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1:
client ESP/AH proposals for initiator:
1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_gcm_16_256
integ=n/a prf=sha2_512 group=MODP2048}
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
certificate O=${org},CN=${cn} OK
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
IKEv2 mode peer ID is ID_IPV4_ADDR: '${external_static_ip}'
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
received INTERNAL_IP4_ADDRESS 192.168.9.12
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
received INTERNAL_IP4_DNS 192.168.2.10
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN qlen 1
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: inet 127.0.0.1/8 scope host lo
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: inet6 ::1/128 scope host
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: 2: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
qdisc pfifo_fast state UP qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: inet 10.0.0.226/16 brd 10.0.255.255 scope global
dynamic enp1s0f1
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: valid_lft 559sec preferred_lft 559sec
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: inet6 fe80::82fa:5bff:fe25:1395/64 scope link
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500
qdisc noqueue state DOWN qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: inet 192.168.122.1/24 brd 192.168.122.255 scope
global virbr0
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: valid_lft forever preferred_lft forever
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc
pfifo_fast master virbr0 state DOWN qlen 1000
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: 5: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN
qlen 1
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
up-client output: link/ipip 0.0.0.0 brd 0.0.0.0
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
negotiated connection [192.168.9.12,192.168.9.12:0-65535 0] ->
[0.0.0.0,255.255.255.255:0-65535 0]
Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2:
STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x86c04240
<0x493a7b96 xfrm=AES_GCM_C_256-NONE NATOA=none
NATD=${external_static_ip}:4500 DPD=passive}
It looks like to me that during all three of these phases where the script
could be called the vti interface doesn't exist yet and the ip hasn't been
negotiated yet. The only solution that pops into mind is to have an at job
add the routes later but that feels messy. Am I missing something? Thanks
for the assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171031/3cca6427/attachment-0001.html>
More information about the Swan
mailing list