[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Thu Jan 24 02:57:28 UTC 2019


> > The endpoint is not behind NAT. It is laptops and desktops and phones
> > connected to the remote VPN gateway on a private network with a
> > dynamic IP. The gateway then uses NAT to allow them to communicate
> > with the Internet, of course.
> I'm still not fully clear what you are doing. Are the laptops and
> desktops and phones on a LAN with NAT and there is a remote VPN gateway
> somewhere else on the internet? If you then your right= should for sure
> point to that remote VPN server DNS name or IP address on your clients'
> config.

It looks like this:

    [Remote Office]                                              [Main office] ----- dynamicIP libreswan ------ VPN gateway libreswan

There are laptops and desktops in a building with a dynamic IP from
Optonline. In the main office there is a static IP and other desktops
and laptops and phones. I'd like to connect the two branch offices
together, and figured since one side had a dynamic IP connecting to
the Internet, it would be considered a road warrior setup. I now know
that's not correct.

> > So you're saying go back to using RSA keys instead of certs, correct?
> No I did not.

Okay. I read that net-to-net connections were using RSA keys:

That's when I switched.

At some point I thought it was working. Is there a known problem with
using RSA keys? Any idea why it can't find its own private key?

I will try now with certs.

More information about the Swan mailing list