[Swan] A Super-LAN

Thu Jan 11 22:23:08 UTC 2018

I don't know how to set up what you want but here are a few clarifications:
1 - left and right can be either end! Perhaps a better terminology for 
you to understand is "end1" and "end2". libreswan will work out which is 
the local and which is the remote end from things like the leftip. 
Typically people use left as local and right as remote but there is no 
need to and each end of the tunnel does not have to agree so each end 
could have left as its own machine. In some cases you can have a conn 
defined exactly the same at both ends in which case if end1 will be 
either left in both conns or right in both conns. It really does not matter.
2 - when you see an example of leftsourceip, it is only valid if left is 
the local end. If right is the local end, use rightsourceip. 
left/rightsourceip can be specified for the remote end but it has no 
meaning.
3 - 192.168.1.0/24 and 192.168.0.0/24 are rubbish subnets for your LAN 
if you have roadwarriors connecting in. Too many domestic routers use 
those subnets as default and it is quite important to have different LAN 
subnets at either end of the tunnel or you'll have real difficulty 
getting traffic to pass through the tunnel.

Nick

On 11/01/2018 22:00, Colony.three wrote:
>
>> First, I am trying to figure out how to set up the right peer.  I 
>> have the left working now, and the right is a phone running the 
>> Strongswan app.  This works fine, but I find conflicting into on how 
>> to set up the right when on a laptop or other machine.
>>
>> The system is a LAN with a number of KVM virtual machines. One of 
>> these VMs is the router, with WAN access.  Another VM is the IPSec 
>> gateway running Libreswan -- ports 500 and 4500 are DNATted through 
>> the router, to the IPsec gateway VM.  This works fine with a remote 
>> Android phone and the Ss app.
>>
>> But there will also be remote laptops.  And a remote mail server.  
>> And all their IPs are changeable.
>>
>> My goal is to have all machines commoned together on the VPN. (they 
>> are all trusted)  The LAN class C is 192.168.1.0/24 and it would be 
>> ideal to assign remote machines a -known- IP in this range.  This way 
>> I'll know where everyone is.  If this is not possible then I'd like 
>> to have a VPN-internal range such as 10.1.1.0/24, but again to have 
>> each peer be assigned a -known- IP, so I know where each is.
>>
>> All connexions must be mutual, IOW peer A can scp files from peer B, 
>> and peer B can scp files from peer A.
>>
>> To set up a commoned system like this I suspect I'd need to set up 
>> individual segments between each peer and the gateway, in a 
>> hub-and-spoke.  Maybe I'd need a connexion one way, and a second one 
>> the other way?
>>
>> All will be IKEv2, and cert auth.
>>
>> I haven't been able to make myself understood on IRC as that's just 
>> snippets, so maybe someone here can advise.
>>
>>
>>
>> - How does the ipsec.conf differ between left and right?  I read some 
>> examples where they are identical, and some where their roles are 
>> reversed.  When system A is the LAN gateway and system B is a remote 
>> laptop, in systemA's ipsec.conf it is the left and B is the right.  
>> But on system B's ipsec.conf is it the left and system A the right?  
>> If so, what other ipsec.conf differences are there?  I can't find 
>> anything in the docs even showing a right ipsec.conf.
>>
>> - Is it possible to assign a -known- IP to peers?  I find in the man 
>> there is a  leftsourceip= but this seems to apply in only one 
>> direction, from left to right.  Is this the case? Or is there another 
>> way to assign known IPs to peers?  And is there a way to record them 
>> in a hosts file in some way.
>>
>> Hopefully I've explained this well enough to show that the goal is a 
>> super-LAN, extended beyond the core LAN with IPSec.
>
> Well my best idea doesn't work: https://paste.ee/p/SVNFf
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan