[Swan] subnet-to-subnet config

Alex mysqlstudent at gmail.com
Sat Feb 9 19:07:01 UTC 2019


> Hi, I'm trying to build a subnet-to-subnet VPN with libreswan-3.27 on
> fedora28 and having some trouble. Should the subnets already exist on
> the remote networks, or does libreswan create them? When I use the
> config below, the networks disappear from the routing table and the
> servers become unreachable.
> I've followed the directions on the subnet-to-subnet page:
> https://libreswan.org/wiki/Subnet_to_subnet_VPN
> conn orion-wyckoff-subnets
>         also=orion-wyckoff
>         rightsubnet=
>         leftsubnet=
>         auto=start
> conn orion-wyckoff
>         ikev2=insist
>         authby=rsasig
>         auto=start
>         # dead peer detection to detect vanishing clients (?)
>         dpddelay=10
>         dpdtimeout=90
>         dpdaction=clear
>         rightid=@wyckoff-orion
>         right=wyckoff.crabdance.com
>         # rsakey AwEAAd4Ee
>         rightrsasigkey=0sAwEAAd4EeKjbFI7m...
>         leftid=@orion-wyckoff
>         left=orion.example.com
>         # rsakey AwEAAeSMF
>         leftrsasigkey=0sAwEAAeSMFxvoJaP...
> The rightsubnet ( exists on the right network
> (wyckoff.crabdance.com). The leftsubnet ( already
> exists on the left network (orion.example.com).
> wyckoff.crabdance.com
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         ool-44c0f801.dy         UG    100    0        0 enp4s0
>   U     100    0        0 enp4s0
>   U     101    0        0 enp2s0
>   U     101    0        0 enp2s0
> orion.example.com:
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         ool-44c3c129.st         UG    0      0        0 br0
> U     0      0        0 br0
>   U     0      0        0 eth1
>   U     0      0        0 eth1
>   U     0      0        0 virbr0
> Will this config also make the endpoints accessible to each other?
> Add left/rightsourceip. Note you only need it for the local end but there is no harm adding it for both ends. For subnet/subnet connections the routing table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only get the routing entry if you use left/rightsourceip and is only relevant for traffic to or from the endpoint rather than through it.

So if I do add the left/rightsourceip parameters, the routes should
not already exist on the endpoints, correct?

I see that it adds the routes, but it also creates a bunch of martian
source messages because the network already exists on the host. It
also consequently makes the whole system unusable because it screws up
the routes.

One thing I didn't mention previously is that the right side (remote)
is a dynamic IP on a cable modem with a hostname through afraid.org. I
had originally thought this was a type of roadwarrior setup, but
apparently not. I'm now not sure of the role that plays, if any.

I also tried to reach the remote side by specifying the interface when
running ping from the local side:
# ping -I

This thread seems to indicate the left/rightsourceip are switched so
it refers to the network on the opposite side? So if
is on the right (remote) side and is on the local
(left) side, rightsourceip should be and leftsourceip
should be

More information about the Swan mailing list