[Swan] subnet-to-subnet config
Alex
mysqlstudent at gmail.com
Sat Feb 9 19:07:01 UTC 2019
Hi,
> Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on
> fedora28 and having some trouble. Should the subnets already exist on
> the remote networks, or does libreswan create them? When I use the
> config below, the networks disappear from the routing table and the
> servers become unreachable.
>
> I've followed the directions on the subnet-to-subnet page:
> https://libreswan.org/wiki/Subnet_to_subnet_VPN
>
> conn orion-wyckoff-subnets
> also=orion-wyckoff
> rightsubnet=192.168.11.0/24
> leftsubnet=192.168.1.0/24
> auto=start
>
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=start
> # dead peer detection to detect vanishing clients (?)
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightid=@wyckoff-orion
> right=wyckoff.crabdance.com
> # rsakey AwEAAd4Ee
> rightrsasigkey=0sAwEAAd4EeKjbFI7m...
> leftid=@orion-wyckoff
> left=orion.example.com
> # rsakey AwEAAeSMF
> leftrsasigkey=0sAwEAAeSMFxvoJaP...
>
> The rightsubnet (192.168.11.0/24) exists on the right network
> (wyckoff.crabdance.com). The leftsubnet (192.168.1.0/24) already
> exists on the left network (orion.example.com).
>
> wyckoff.crabdance.com
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> default ool-44c0f801.dy 0.0.0.0 UG 100 0 0 enp4s0
> 68.192.248.0 0.0.0.0 255.255.252.0 U 100 0 0 enp4s0
> 192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 enp2s0
> 192.168.11.0 0.0.0.0 255.255.255.0 U 101 0 0 enp2s0
>
> orion.example.com:
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> default ool-44c3c129.st 0.0.0.0 UG 0 0 0 br0
> 68.195.193.40 0.0.0.0 255.255.255.248 U 0 0 0 br0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
>
> Will this config also make the endpoints accessible to each other?
>
> Add left/rightsourceip. Note you only need it for the local end but there is no harm adding it for both ends. For subnet/subnet connections the routing table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only get the routing entry if you use left/rightsourceip and is only relevant for traffic to or from the endpoint rather than through it.
So if I do add the left/rightsourceip parameters, the routes should
not already exist on the endpoints, correct?
I see that it adds the routes, but it also creates a bunch of martian
source messages because the network already exists on the host. It
also consequently makes the whole system unusable because it screws up
the routes.
One thing I didn't mention previously is that the right side (remote)
is a dynamic IP on a cable modem with a hostname through afraid.org. I
had originally thought this was a type of roadwarrior setup, but
apparently not. I'm now not sure of the role that plays, if any.
I also tried to reach the remote side by specifying the interface when
running ping from the local side:
# ping 192.168.11.1 -I 68.195.193.42
This thread seems to indicate the left/rightsourceip are switched so
it refers to the network on the opposite side? So if 192.168.11.0/24
is on the right (remote) side and 192.168.1.0/24 is on the local
(left) side, rightsourceip should be 192.168.1.0/24 and leftsourceip
should be 192.168.11.0/24?
https://www.centos.org/forums/viewtopic.php?f=16&t=60809&start=20
More information about the Swan
mailing list