[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Thu Jan 24 15:24:30 UTC 2019

On Thu, 24 Jan 2019, Alex wrote:

> Both endpoints are libreswan on fedora.
>> Regardless the side on dynamic IP should have auto=start and rekey=yes
>> and the side on static IP should have auto=add and rekey=no. The
>> one wih static IP will have (assuming you used left for local, and right
>> for remote) left=staticip and right=%any/ On the end with dynamic IP
>> you will have (again assuming you used left for local, and right for
>> remote) left=%defaultroute and right=staticp
> It still does not like right=%any
> # ipsec auto --up host-to-host
> 029 "host-to-host": cannot initiate connection without knowing peer IP
> address (kind=CK_TEMPLATE)
> 036 failed to initiate host-to-host

As I said, only the end behind NAT can initiate. So running --up should
only be done on the node behind NAT.

> I'd really like to figure out why RSA keys doesn't work. Is the left=
> and right= parameters relative to which side the configuration file is
> on, or do they remain consistent on both sides? In other words, does
> the left side always remain the same, regardless of which side it is
> on?

left is the leftside of your paper diagram. Right is the rightside of
your paper diagram. If you flip the paper, left becomes right, right
becomes left. So in theory, you can use the identical configuration on
both sides, and pluto will figure out if it is "left" or "right" on
each server with that identical configuration. BUT.... in your case,
remember you cannot re-use the identical configuration because you
cannot use "%any" on both sides. Still, for each server, you can
pick arbitrarilly what is left or what is right, according to your
paper diagram.

> You had said left=%defaultroute, but if the right (remote) is the side
> with the dynamic IP, it doesn't have a static address to use for
> right=

When answering these type of questions, it is hard for us to write for
each option "if left is your local end use left=%defaultroute, and if
right is your local end use right=%defaultroute". So when answering
these questions, we tend to pick "left is local, right is remote".

> This is my config now:
> conn host-to-host
>        left=orion.guardiandigital.com
>        leftid=@orion
>        leftsubnet=
>        leftrsasigkey=0sAwEAAczgDWWfK4A83Q1e/fTYS2C...
>        right=%any
>        rightsubnet=
>        rightrsasigkey=0sAwEAAZRIg5GeGCHBqp561KQrfoiQnwsh...
>        rightid=@wyckoff
>        auto=add
>        rekey=no

I assume that orion is the side on fixed ip/dns name, and that wyckoff
is the end with a dynmic IP and behind NAT. In that case, on orion
you can use this config. On wyckoff you will need to change "right=%any"
to "right=%defaultroute". All other options can be the same, and you do
not need to change left/right or anything.

> Also, how do I add multiple subnets on both sides? I've seen
> references using commas to separate them, braces, and spaces, and none
> work.

You can use spaces or commas. An example from our test cases is:


Some older versions did not like the use of space+comma

> 003 "host-to-host" #1: Failed to find our RSA key
> Is there debugging I can add to help determine why this is happening again?

If you are using rightrsasigkey= and leftrsasigkey= on keys properly
generated inside the current NSS database with "ipsec newhostkey" then
it should just work. I've talked a lot on the list in the past about
failures to generate keys, move NSS files etc, so I won't repeat myself
again. If in doubt what is in nss, use ipsec showhostkey --list and
generate new rsasigkey= statements with ipsec showhostkey --left (or
--right_ --ckaid XXXX (from the --list command)


More information about the Swan mailing list