[Swan] net-to-net for road warriors
Alex
mysqlstudent at gmail.com
Tue Jan 22 23:38:42 UTC 2019
Hi, I have a fedora29 system with libreswan-3.27-1.fc29.x86_64 and
shorewall and having some difficulty with building a net-to-net VPN to
a similar system with a dynamic IP.
If I configure leftsubnet=192.168.6.0/24 I can't reach any of the
other networks on the server side. If I configure leftsubnet=0.0.0.0/0
I can't reach the other side at all. Should libreswan also configure
the routes necessary on the server side, or do I need to somehow add
them manually?
I'd also like to be able to reach the VPN server itself as well. When
I try, shorewall rejects it, because I don't think it's being tunneled
through the VPN:
[278917.437988] ext-fw REJECT IN=br0 OUT= PHYSIN=eth0
MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=68.192.251.223
DST=68.195.193.42 LEN=84 TOS=0x1C PREC=0x00 TTL=58 ID=25866 DF
PROTO=ICMP TYPE=8 CODE=0
Server side:
conn wyckoff
left=68.195.193.42
leftcert=orion
leftid=@orion
leftsendcert=always
leftsubnet=192.168.6.0/24
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.6.70-192.168.6.80
rightca=%same
rightrsasigkey=%cert
modecfgdns=192.168.1.1,68.195.193.44
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
Client Side:
conn orionrw
left=%defaultroute
leftcert=wyckoff.crabdance.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
right=orion.example.com
rightsubnet=0.0.0.0/0
rightid=@orion.example.com
rightrsasigkey=%cert
narrowing=yes
ikev2=insist
rekey=yes
fragmentation=yes
mobike=yes
auto=add
Server:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 68.195.193.41 0.0.0.0 UG 0 0 0 br0
68.195.193.40 0.0.0.0 255.255.255.248 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.6.70 0.0.0.0 255.255.255.255 UH 0 0 0 br0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
I've uploaded "ipsec status" from the server side here. This includes
info on the other tunnels on this system as well.
https://pastebin.com/hE9iD99S
More information about the Swan
mailing list