[Swan] net-to-net for road warriors

Wed Jan 23 15:38:21 UTC 2019

Hi,

> If you want a remote access vpn to access a remote subnet, use the
> remote access config with the addresspool. If you want a subnet to
> subnet, where one of the endpoints is on a dynamic IP, you want
> to use leftsubnet/rightsubnet and not addresspool= and just change
> the regular site-to-site config to be right=%any on the server for
> the clients, and left=%defaultroute for the client side on the client.

Yes, I want both clients connected on the dynamic network side and the
dynamic server itself to be able to connect to the network behind the
VPN server, as well as the server itself.

I've now tried to do it using RSA keys, but it has a problem with the
"%any" statement:

config setup
        protostack=netkey

conn mysubnet
        also=wyckofftun
        rightsubnet=192.168.11.0/24
        leftsubnet=192.168.1.0/24
        auto=start

conn wyckofftun
        authby=rsasig
        auto=start
        ikev2=insist
        fragmentation=yes

        # dynamic side
        rightid=@wyckoff-orion
        right=%any
        # rsakey AwEAAbhmG
        rightrsasigkey=0sAwEAAbhmGOeY6...

        # server side
        leftid=@orion-wyckoff
        left=%defaultroute
        # rsakey AwEAAbrFz
        leftrsasigkey=0sAwEAAbrFzHlMRChBGKU...

# ipsec status
...
000 "wyckofftun":
68.195.193.42[@orion-wyckoff]---68.195.193.41...%any[@wyckoff-orion];
unrouted; eroute owner: #0
000 "wyckofftun":     oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun":   xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun":   our auth:rsasig, their auth:rsasig
000 "wyckofftun":   modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun":   labeled_ipsec:no;
000 "wyckofftun":   policy_label:unset;
000 "wyckofftun":   ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun":   initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun":   policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun":   conn_prio: 32,32; interface: br0; metric: 0; mtu:
unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun":   nflog-group: unset; mark: unset; vti-iface:unset;
vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun":   our idtype: ID_FQDN; our id=@orion-wyckoff; their
idtype: ID_FQDN; their id=@wyckoff-orion
000 "wyckofftun":   dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "wyckofftun":   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512-DH19,
AES_GCM_16_256-HMAC_SHA2_...

What am I missing? I followed these directions:
https://libreswan.org/wiki/Subnet_to_subnet_VPN

There are also multiple networks on the server side, but it doesn't
appear that it supports that on the leftsubnet line?