[Swan] net-to-net for road warriors
Alex
mysqlstudent at gmail.com
Wed Jan 23 15:38:21 UTC 2019
Hi,
> If you want a remote access vpn to access a remote subnet, use the
> remote access config with the addresspool. If you want a subnet to
> subnet, where one of the endpoints is on a dynamic IP, you want
> to use leftsubnet/rightsubnet and not addresspool= and just change
> the regular site-to-site config to be right=%any on the server for
> the clients, and left=%defaultroute for the client side on the client.
Yes, I want both clients connected on the dynamic network side and the
dynamic server itself to be able to connect to the network behind the
VPN server, as well as the server itself.
I've now tried to do it using RSA keys, but it has a problem with the
"%any" statement:
config setup
protostack=netkey
conn mysubnet
also=wyckofftun
rightsubnet=192.168.11.0/24
leftsubnet=192.168.1.0/24
auto=start
conn wyckofftun
authby=rsasig
auto=start
ikev2=insist
fragmentation=yes
# dynamic side
rightid=@wyckoff-orion
right=%any
# rsakey AwEAAbhmG
rightrsasigkey=0sAwEAAbhmGOeY6...
# server side
leftid=@orion-wyckoff
left=%defaultroute
# rsakey AwEAAbrFz
leftrsasigkey=0sAwEAAbrFzHlMRChBGKU...
# ipsec status
...
000 "wyckofftun":
68.195.193.42[@orion-wyckoff]---68.195.193.41...%any[@wyckoff-orion];
unrouted; eroute owner: #0
000 "wyckofftun": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "wyckofftun": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "wyckofftun": our auth:rsasig, their auth:rsasig
000 "wyckofftun": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "wyckofftun": labeled_ipsec:no;
000 "wyckofftun": policy_label:unset;
000 "wyckofftun": ike_life: 3600s; ipsec_life: 28800s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "wyckofftun": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "wyckofftun": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "wyckofftun": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "wyckofftun": conn_prio: 32,32; interface: br0; metric: 0; mtu:
unset; sa_prio:auto; sa_tfc:none;
000 "wyckofftun": nflog-group: unset; mark: unset; vti-iface:unset;
vti-routing:no; vti-shared:no; nic-offload:auto;
000 "wyckofftun": our idtype: ID_FQDN; our id=@orion-wyckoff; their
idtype: ID_FQDN; their id=@wyckoff-orion
000 "wyckofftun": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "wyckofftun": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "wyckofftun": IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512-DH19,
AES_GCM_16_256-HMAC_SHA2_...
What am I missing? I followed these directions:
https://libreswan.org/wiki/Subnet_to_subnet_VPN
There are also multiple networks on the server side, but it doesn't
appear that it supports that on the leftsubnet line?
More information about the Swan
mailing list