[Swan] subnet-to-subnet config

Alex mysqlstudent at gmail.com
Sun Feb 10 00:15:24 UTC 2019


> >> Add left/rightsourceip. Note you only need it for the local end but there is no harm adding it for both ends. For subnet/subnet connections the routing table is not used (check out "ip xfrm policy" and "ip xfrm state"). You only get the routing entry if you use left/rightsourceip and is only relevant for traffic to or from the endpoint rather than through it.
> >
> > So if I do add the left/rightsourceip parameters, the routes should
> > not already exist on the endpoints, correct?
> Correct. the specification of sourceip causes it to add routes.
> Basically, your host, say on IP address, needs to connect
> to the VPN to reach across the VPN. It will forward
> all traffic between its own ( and the remote
> This is a strict policy. If your gateway receives
> a packet from destinated, it will match
> and encrypt and forward that traffic.

I think I understand the basic idea, but the network is
well-established with quite a few systems behind it. The configuration
of the server is done from that LAN. That makes it difficult to
configure a subnet to be dependent upon the VPN always being running.
The server also provides DNS, DHCP, SMB, and other LAN functions to
the local network.

I got it (mostly) working using subnetS now, but it would be good to
understand how it works with just one network. There are multiple
networks on the LAN on both sides, but really only is
necessary. I notice "ipsec trafficstatus" always shows zeros when
using subnetS?

I can ping from, yet the trafficstatus remains zero.

> The tricky issue is when your gateway itself generates a packet for
> the remote subnet The linux kernel picks the "nearest"
> IP to use as source ip. So it will pick your public ip This
> IP is NOT part of the IPsec policy for the tunnel which only covers
> traffic from to So the gateway should
> be told to use its own IP from the LAN, not its public IP. The
> leftsourceip= option does this.

I think I'm somewhat confused without having actual network addresses
being used in your example. Can I ask you to review my config again to
determine why left/rightsubnet= isn't working?

Below is my config for both sides. I've included the routing table for
both servers here, including the routes as they're currently
configured. I'll have to remove them from the fedora config prior to
starting this and letting libreswan configure them.

On wyckoff (, right, remote)
# ip route show table main
default via dev enp4s0 proto dhcp metric 100 dev enp4s0 proto kernel scope link src metric 100 dev enp2s0 proto kernel scope link src metric 101 dev enp2s0 proto kernel scope link src metric 101

conn orion-wyckoff
        # rsakey AwEAAd4Ee
        # rsakey AwEAAeSMF

On orion (, left, local)
# ip route show table main
default via dev br0 dev br0 proto kernel scope link src dev eth1 proto kernel scope link src dev eth1 proto kernel scope link src dev virbr0 proto kernel scope link src linkdown

conn orion-wyckoff
        # dead peer detection to detect vanishing clients
        # rsakey AwEAAd4Ee
        # rsakey AwEAAeSMF

> so it basically runs (say is your default gateway on the the
> ipsec gateway:

This is a little confusing because there is an ipsec gateway at both ends...

> ip route add via src
> (also assuming the LAN ip is

It also assumes there's a route created for on the side, correct?

> This route does not affect the existing forwarding from the LAN over
> the IPsec that already happened. But for packets created from the
> gateway itself any destination IP with will not pick
> but

I believe I have done this. I'm using as the gateway for
that network.

> > I see that it adds the routes, but it also creates a bunch of martian
> > source messages because the network already exists on the host.
> That seems like perhaps you mixed up leftsourceip/rightsourceip on the other end?

I don't think so, but hopefully my config above will help to clarify
that, and you're able to help me make sense of it.

> martians happen when you see IP with a source address that appears on
> the wrong interface. If you have IP on your LAN and you
> receive packet with source on your WAN interface, the system
> triggers the alarm of martian invasion.

Yes, understood.

> There is one legitimate scenario where this could happen: if your IPsec
> gateway has 1 interface or if the "uplink" and the "LAN" reside on the
> same interface. This is often the case when the VPN server is behind
> NAT, and only really has 1 interface with the LAN packets. Linux
> receives an encrypted packet from one interface, decrypts it, and then
> gets confused that the packet needs to go out the same interface.

That's not happening here. There are two physical interfaces on both gateways.

> This is why we recommend to disable rp_filter and source route options
> via sysctl.conf in those scenarios:

Yes, I've done this as well.

> > This thread seems to indicate the left/rightsourceip are switched so
> > it refers to the network on the opposite side? So if
> > is on the right (remote) side and is on the local
> > (left) side, rightsourceip should be and leftsourceip
> > should be
> > https://www.centos.org/forums/viewtopic.php?f=16&t=60809&start=20
> No, you must ensure that the leftsourceip= specified is the gateway's
> actual internal IP address, and this ip address must be part of the
> leftsubnet= you specify. When using multiple subnetS=, do not use
> leftsourceip= (you likely would not have an IP address on the server
> in all those local subnets anyway)

The gateway (192.168.XX.1) for all of those networks are on the
gateways themselves.

I still cannot ping from the local gateway and from the remote gateway using left/rightsubnetS=. However,
I can ping normally one remote network from the other.

More information about the Swan mailing list