[Swan] net-to-net for road warriors

Alex mysqlstudent at gmail.com
Thu Jan 24 14:33:41 UTC 2019


> >> I'm still not fully clear what you are doing. Are the laptops and
> >> desktops and phones on a LAN with NAT and there is a remote VPN gateway
> >> somewhere else on the internet? If you then your right= should for sure
> >> point to that remote VPN server DNS name or IP address on your clients'
> >> config.
> >
> > It looks like this:
> >
> >    [Remote Office]                                              [Main office]
> > ----- dynamicIP libreswan ------ VPN gateway libreswan
> > ---
> >
> > There are laptops and desktops in a building with a dynamic IP from
> > Optonline. In the main office there is a static IP and other desktops
> > and laptops and phones. I'd like to connect the two branch offices
> > together, and figured since one side had a dynamic IP connecting to
> > the Internet, it would be considered a road warrior setup. I now know
> > that's not correct.
> Ohh. yeah that we call site-to-site. Wile it is also technically a
> roadwarrior because you are on a dynamic IP with one end, we tend to
> not call it that.
> The important thing is, for a site-to-site you have a leftsubnet and
> rightsubnet, and never have an addresspool because you already have the
> IP addresses of both ends of the tunnels.
> > Okay. I read that net-to-net connections were using RSA keys:
> > https://libreswan.org/wiki/Subnet_to_subnet_VPN
> > https://libreswan.org/wiki/Host_to_host_VPN
> >
> > That's when I switched.
> >
> > At some point I thought it was working. Is there a known problem with
> > using RSA keys? Any idea why it can't find its own private key?
> >
> > I will try now with certs.
> You can use whatever authentication you like. If these are two libreswan
> endpoints, you can just use raw RSA since it is easier to setup than
> certificates. but if one endpoint is not libreswan, it might be easier
> to setup using certificates.

Both endpoints are libreswan on fedora.

> Regardless the side on dynamic IP should have auto=start and rekey=yes
> and the side on static IP should have auto=add and rekey=no. The
> one wih static IP will have (assuming you used left for local, and right
> for remote) left=staticip and right=%any/ On the end with dynamic IP
> you will have (again assuming you used left for local, and right for
> remote) left=%defaultroute and right=staticp

It still does not like right=%any

# ipsec auto --up host-to-host
029 "host-to-host": cannot initiate connection without knowing peer IP
address (kind=CK_TEMPLATE)
036 failed to initiate host-to-host

I'd really like to figure out why RSA keys doesn't work. Is the left=
and right= parameters relative to which side the configuration file is
on, or do they remain consistent on both sides? In other words, does
the left side always remain the same, regardless of which side it is

You had said left=%defaultroute, but if the right (remote) is the side
with the dynamic IP, it doesn't have a static address to use for

This is my config now:
conn host-to-host

Also, how do I add multiple subnets on both sides? I've seen
references using commas to separate them, braces, and spaces, and none

# ipsec auto --up host-to-host
002 "host-to-host" #1: initiating v2 parent SA
133 "host-to-host" #1: initiate
002 "host-to-host" #1: constructed local IKE proposals for
host-to-host (IKE SA initiator selecting KE):
003 "host-to-host" #1: Failed to find our RSA key

Is there debugging I can add to help determine why this is happening again?

More information about the Swan mailing list