[Swan] net-to-net for road warriors

Nick Howitt nick at howitts.co.uk
Thu Jan 24 08:14:28 UTC 2019

On 24/01/2019 04:01, Paul Wouters wrote:
> On Wed, 23 Jan 2019, Alex wrote:
>>> I'm still not fully clear what you are doing. Are the laptops and
>>> desktops and phones on a LAN with NAT and there is a remote VPN gateway
>>> somewhere else on the internet? If you then your right= should for sure
>>> point to that remote VPN server DNS name or IP address on your clients'
>>> config.
>> It looks like this:
>>    [Remote Office] [Main office]
>> ----- dynamicIP libreswan ------ VPN gateway libreswan
>> ---
>> There are laptops and desktops in a building with a dynamic IP from
>> Optonline. In the main office there is a static IP and other desktops
>> and laptops and phones. I'd like to connect the two branch offices
>> together, and figured since one side had a dynamic IP connecting to
>> the Internet, it would be considered a road warrior setup. I now know
>> that's not correct.
> Ohh. yeah that we call site-to-site. Wile it is also technically a
> roadwarrior because you are on a dynamic IP with one end, we tend to
> not call it that.
> The important thing is, for a site-to-site you have a leftsubnet and
> rightsubnet, and never have an addresspool because you already have the
> IP addresses of both ends of the tunnels.
>> Okay. I read that net-to-net connections were using RSA keys:
>> https://libreswan.org/wiki/Subnet_to_subnet_VPN
>> https://libreswan.org/wiki/Host_to_host_VPN
>> That's when I switched.
>> At some point I thought it was working. Is there a known problem with
>> using RSA keys? Any idea why it can't find its own private key?
>> I will try now with certs.
> You can use whatever authentication you like. If these are two libreswan
> endpoints, you can just use raw RSA since it is easier to setup than
> certificates. but if one endpoint is not libreswan, it might be easier
> to setup using certificates.
I know it is blasphemy, but just to get the concept going, is it worth 
trying with a PSK. Then, once you're happy, switch to RSA or x509?
> Regardless the side on dynamic IP should have auto=start and rekey=yes
> and the side on static IP should have auto=add and rekey=no. The
> one wih static IP will have (assuming you used left for local, and right
> for remote) left=staticip and right=%any/ On the end with dynamic IP
> you will have (again assuming you used left for local, and right for
> remote) left=%defaultroute and right=staticp
Also should you increase the keylives of the static end so it does not 
expire the conn before the dynamic end rekeys?
> That way, the dynamic endpoint will always initiate since the endpoint
> with static ip will not know where to initiate to since the other end
> is on dynamic ip.
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list