[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Thu Jan 24 04:01:34 UTC 2019 

On Wed, 23 Jan 2019, Alex wrote:

>> I'm still not fully clear what you are doing. Are the laptops and
>> desktops and phones on a LAN with NAT and there is a remote VPN gateway
>> somewhere else on the internet? If you then your right= should for sure
>> point to that remote VPN server DNS name or IP address on your clients'
>> config.
>
> It looks like this:
>
>    [Remote Office]                                              [Main office]
> 192.168.11.0/24 ----- dynamicIP libreswan ------ VPN gateway libreswan
> --- 192.168.1.0/24
>
> There are laptops and desktops in a building with a dynamic IP from
> Optonline. In the main office there is a static IP and other desktops
> and laptops and phones. I'd like to connect the two branch offices
> together, and figured since one side had a dynamic IP connecting to
> the Internet, it would be considered a road warrior setup. I now know
> that's not correct.

Ohh. yeah that we call site-to-site. Wile it is also technically a
roadwarrior because you are on a dynamic IP with one end, we tend to
not call it that.

The important thing is, for a site-to-site you have a leftsubnet and
rightsubnet, and never have an addresspool because you already have the
IP addresses of both ends of the tunnels.

> Okay. I read that net-to-net connections were using RSA keys:
> https://libreswan.org/wiki/Subnet_to_subnet_VPN
> https://libreswan.org/wiki/Host_to_host_VPN
>
> That's when I switched.
>
> At some point I thought it was working. Is there a known problem with
> using RSA keys? Any idea why it can't find its own private key?
>
> I will try now with certs.

You can use whatever authentication you like. If these are two libreswan
endpoints, you can just use raw RSA since it is easier to setup than
certificates. but if one endpoint is not libreswan, it might be easier
to setup using certificates.

Regardless the side on dynamic IP should have auto=start and rekey=yes
and the side on static IP should have auto=add and rekey=no. The
one wih static IP will have (assuming you used left for local, and right
for remote) left=staticip and right=%any/ On the end with dynamic IP
you will have (again assuming you used left for local, and right for
remote) left=%defaultroute and right=staticp

That way, the dynamic endpoint will always initiate since the endpoint
with static ip will not know where to initiate to since the other end
is on dynamic ip.

Paul

More information about the Swan mailing list