[Swan] subnet-to-subnet config

Paul Wouters paul at nohats.ca
Sat Feb 9 19:27:36 UTC 2019

On Sat, 9 Feb 2019, Alex wrote:

>> conn orion-wyckoff-subnets
>>         also=orion-wyckoff
>>         rightsubnet=
>>         leftsubnet=

>> Add left/rightsourceip. Note you only need it for the local end but there is no harm adding it for both ends. For subnet/subnet connections the routing table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only get the routing entry if you use left/rightsourceip and is only relevant for traffic to or from the endpoint rather than through it.
> So if I do add the left/rightsourceip parameters, the routes should
> not already exist on the endpoints, correct?

Correct. the specification of sourceip causes it to add routes.
Basically, your host, say on IP address, needs to connect
to the VPN to reach across the VPN. It will forward
all traffic between its own ( and the remote This is a strict policy. If your gateway receives
a packet from destinated, it will match
and encrypt and forward that traffic.

The tricky issue is when your gateway itself generates a packet for
the remote subnet The linux kernel picks the "nearest"
IP to use as source ip. So it will pick your public ip This
IP is NOT part of the IPsec policy for the tunnel which only covers
traffic from to So the gateway should
be told to use its own IP from the LAN, not its public IP. The
leftsourceip= option does this.

so it basically runs (say is your default gateway on the the
ipsec gateway:

ip route add via src

(also assuming the LAN ip is

This route does not affect the existing forwarding from the LAN over
the IPsec that already happened. But for packets created from the
gateway itself any destination IP with will not pick but

On the other gateway, you have the same issue in mirror form with its
own LAN.

> I see that it adds the routes, but it also creates a bunch of martian
> source messages because the network already exists on the host.

That seems like perhaps you mixed up leftsourceip/rightsourceip on the other end?

martians happen when you see IP with a source address that appears on
the wrong interface. If you have IP on your LAN and you
receive packet with source on your WAN interface, the system
triggers the alarm of martian invasion.

There is one legitimate scenario where this could happen: if your IPsec
gateway has 1 interface or if the "uplink" and the "LAN" reside on the
same interface. This is often the case when the VPN server is behind
NAT, and only really has 1 interface with the LAN packets. Linux
receives an encrypted packet from one interface, decrypts it, and then
gets confused that the packet needs to go out the same interface.

This is why we recommend to disable rp_filter and source route options
via sysctl.conf in those scenarios:

net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
# when using 1 interface for two networks when using NETKEY, the kernel
# kernel thinks it can be clever by sending a redirect (cause it cannot
# tell an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0

> One thing I didn't mention previously is that the right side (remote)
> is a dynamic IP on a cable modem with a hostname through afraid.org. I
> had originally thought this was a type of roadwarrior setup, but
> apparently not. I'm now not sure of the role that plays, if any.

That should not matter.

> I also tried to reach the remote side by specifying the interface when
> running ping from the local side:
> # ping -I
> This thread seems to indicate the left/rightsourceip are switched so
> it refers to the network on the opposite side? So if
> is on the right (remote) side and is on the local
> (left) side, rightsourceip should be and leftsourceip
> should be
> https://www.centos.org/forums/viewtopic.php?f=16&t=60809&start=20

No, you must ensure that the leftsourceip= specified is the gateway's
actual internal IP address, and this ip address must be part of the
leftsubnet= you specify. When using multiple subnetS=, do not use
leftsourceip= (you likely would not have an IP address on the server
in all those local subnets anyway)


More information about the Swan mailing list