[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Wed Jan 23 00:33:02 UTC 2019

On Tue, 22 Jan 2019, Alex wrote:

> Subject: [Swan] net-to-net for road warriors
> Hi, I have a fedora29 system with libreswan-3.27-1.fc29.x86_64 and
> shorewall and having some difficulty with building a net-to-net VPN to
> a similar system with a dynamic IP.
> If I configure leftsubnet= I can't reach any of the
> other networks on the server side.

You need to add a passthrough for the local traffic as explained at:


conn passthrough

> If I configure leftsubnet=
> I can't reach the other side at all. Should libreswan also configure
> the routes necessary on the server side, or do I need to somehow add
> them manually?

If you add leftsourceip= and rightsourceip= then all routes should be
added automatically.

> I'd also like to be able to reach the VPN server itself as well. When
> I try, shorewall rejects it, because I don't think it's being tunneled
> through the VPN:

Using leftsourceip/rightsourceip also addresses that problem, as the
added route will ensure you are using the private and not the public
IP as source address for the remote subnet.

> Server side:
> conn wyckoff
>    left=
>    leftcert=orion
>    leftid=@orion

>    leftsendcert=always
>    leftsubnet=
>    leftrsasigkey=%cert
>    right=%any
>    rightaddresspool=

You want an addresspool?? That is not the same as net-to-net you
described above. So if you want a roadwarrior to a remote access VPN
server, then forget all of this and make a config based on

> Client Side:
> conn orionrw
>        left=%defaultroute
>        leftcert=wyckoff.crabdance.com
>        leftid=%fromcert
>        leftrsasigkey=%cert
>        leftsubnet=
>        leftmodecfgclient=yes
>        right=orion.example.com
>        rightsubnet=

Note you don't want 0/0 on both sides of the link.

>        rightid=@orion.example.com

This rightid does not match the above leftid. So that needs fixing.

If you want a remote access vpn to access a remote subnet, use the
remote access config with the addresspool. If you want a subnet to
subnet, where one of the endpoints is on a dynamic IP, you want
to use leftsubnet/rightsubnet and not addresspool= and just change
the regular site-to-site config to be right=%any on the server for
the clients, and left=%defaultroute for the client side on the client.


More information about the Swan mailing list