[Swan] Bringing up strongSwan+Libreswan transport connection

Pavel Volkov sailor at lists.xtsubasa.org
Mon Sep 30 21:40:13 UTC 2019 

On понедельник, 30 сентября 2019 г. 21:59:59 MSK, Paul Wouters wrote:
> Why transport mode? You are behind NAT, so libreswan can only build a
> transport mode tunnel with its pre-NAT IP, which hugely complicates
> things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
> terrible solution often not working fully.
>
> You should use tunnel mode.

I can't figure out the basic stuff: configuring that Libreswan has 
public-facing & private address.
I had to resort to rightsubnet=.
I came up with the following dirty-looking configs which work, secured 
traffic flows through my network but SAs on strongSwan/public host still 
have all public IPs (you mentioned we should see the internal IP 
192.168.1.2 for remote there).
The way I use rightsubnet here doesn't match its description in the manual.

strongSwan/public:
conn mytunnel
    auto=add
    type=tunnel
    forceencaps=yes
    left=%any
    leftauth=pubkey
    leftid=server.example.com
    leftcert=server.example.com.crt
    leftsendcert=always
    right=xxx.xxx.94.200
    rightauth=pubkey
    rightid="CN=client.example.com"
    # without this strongSwan complains that traffic selectors are 
unacceptable:
    rightsubnet=192.168.1.2

% sudo ip xfrm state
src xxx.xxx.149.202 dst xxx.xxx.94.200
        proto esp spi 0x9e72552a reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 
0x972e60a3b5f34430ac8d79df2badd116dd4709249e9c0df1f185b1013f6b7e8f 128
        enc cbc(aes) 
0x9a6b10e8961b0b2b1fa7d6d63517939a191e77649497d433cee8f7b8d4d2482f
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0xa, bitmap 0x00000000
src xxx.xxx.94.200 dst xxx.xxx.149.202
        proto esp spi 0xca4d2c2a reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 
0xcfca1bc60c21fc672c79d9ed8001fcc28d4565940601e854cdba703d52ca68f5 128
        enc cbc(aes) 
0x424c8541e2175f0416a36cf7c1646a8b1d7334ee0f5ed102c404428de8c15493
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0xa, oseq 0x0, bitmap 0x000003ff


Libreswan/NAT:
conn mytunnel
        ike=aes256-sha256
        esp=aes256-sha256
        dpdaction=restart
        dpddelay=35
        dpdtimeout=300
        fragmentation=yes
        rekey=yes
        auto=start
        type=tunnel
        encapsulation=auto
        ikev2=insist
        left=server.example.com
        leftid=@server.example.com
        leftrsasigkey=%cert
        right=%defaultroute
        rightcert=client.example.com
        rightid=%fromcert
        rightrsasigkey=%cert

src xxx.xxx.149.202 dst 192.168.1.2
        proto esp spi 0x9e72552a reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 
0x972e60a3b5f34430ac8d79df2badd116dd4709249e9c0df1f185b1013f6b7e8f 128
        enc cbc(aes) 
0x9a6b10e8961b0b2b1fa7d6d63517939a191e77649497d433cee8f7b8d4d2482f
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0xa, oseq 0x0, bitmap 0x000003ff
src 192.168.1.2 dst xxx.xxx.149.202
        proto esp spi 0xca4d2c2a reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 
0xcfca1bc60c21fc672c79d9ed8001fcc28d4565940601e854cdba703d52ca68f5 128
        enc cbc(aes) 
0x424c8541e2175f0416a36cf7c1646a8b1d7334ee0f5ed102c404428de8c15493
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0xa, bitmap 0x00000000

More information about the Swan mailing list