[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Tue Jan 22 23:38:42 UTC 2019 

Hi, I have a fedora29 system with libreswan-3.27-1.fc29.x86_64 and
shorewall and having some difficulty with building a net-to-net VPN to
a similar system with a dynamic IP.

If I configure leftsubnet=192.168.6.0/24 I can't reach any of the
other networks on the server side. If I configure leftsubnet=0.0.0.0/0
I can't reach the other side at all. Should libreswan also configure
the routes necessary on the server side, or do I need to somehow add
them manually?

I'd also like to be able to reach the VPN server itself as well. When
I try, shorewall rejects it, because I don't think it's being tunneled
through the VPN:

[278917.437988] ext-fw REJECT IN=br0 OUT= PHYSIN=eth0
MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=68.192.251.223
DST=68.195.193.42 LEN=84 TOS=0x1C PREC=0x00 TTL=58 ID=25866 DF
PROTO=ICMP TYPE=8 CODE=0

Server side:
conn wyckoff
    left=68.195.193.42
    leftcert=orion
    leftid=@orion
    leftsendcert=always
    leftsubnet=192.168.6.0/24
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.6.70-192.168.6.80
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=192.168.1.1,68.195.193.44
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes

Client Side:
conn orionrw
        left=%defaultroute
        leftcert=wyckoff.crabdance.com
        leftid=%fromcert
        leftrsasigkey=%cert
        leftsubnet=0.0.0.0/0
        leftmodecfgclient=yes
        right=orion.example.com
        rightsubnet=0.0.0.0/0
        rightid=@orion.example.com
        rightrsasigkey=%cert
        narrowing=yes
        ikev2=insist
        rekey=yes
        fragmentation=yes
        mobike=yes
        auto=add

Server:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         68.195.193.41   0.0.0.0         UG    0      0        0 br0
68.195.193.40   0.0.0.0         255.255.255.248 U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.6.70    0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

I've uploaded "ipsec status" from the server side here. This includes
info on the other tunnels on this system as well.
https://pastebin.com/hE9iD99S

More information about the Swan mailing list