[Swan] Bringing up strongSwan+Libreswan transport connection
Pavel Volkov
sailor at lists.xtsubasa.org
Mon Sep 30 21:40:13 UTC 2019
On понедельник, 30 сентября 2019 г. 21:59:59 MSK, Paul Wouters wrote:
> Why transport mode? You are behind NAT, so libreswan can only build a
> transport mode tunnel with its pre-NAT IP, which hugely complicates
> things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
> terrible solution often not working fully.
>
> You should use tunnel mode.
I can't figure out the basic stuff: configuring that Libreswan has
public-facing & private address.
I had to resort to rightsubnet=.
I came up with the following dirty-looking configs which work, secured
traffic flows through my network but SAs on strongSwan/public host still
have all public IPs (you mentioned we should see the internal IP
192.168.1.2 for remote there).
The way I use rightsubnet here doesn't match its description in the manual.
strongSwan/public:
conn mytunnel
auto=add
type=tunnel
forceencaps=yes
left=%any
leftauth=pubkey
leftid=server.example.com
leftcert=server.example.com.crt
leftsendcert=always
right=xxx.xxx.94.200
rightauth=pubkey
rightid="CN=client.example.com"
# without this strongSwan complains that traffic selectors are
unacceptable:
rightsubnet=192.168.1.2
% sudo ip xfrm state
src xxx.xxx.149.202 dst xxx.xxx.94.200
proto esp spi 0x9e72552a reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha256)
0x972e60a3b5f34430ac8d79df2badd116dd4709249e9c0df1f185b1013f6b7e8f 128
enc cbc(aes)
0x9a6b10e8961b0b2b1fa7d6d63517939a191e77649497d433cee8f7b8d4d2482f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xa, bitmap 0x00000000
src xxx.xxx.94.200 dst xxx.xxx.149.202
proto esp spi 0xca4d2c2a reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xcfca1bc60c21fc672c79d9ed8001fcc28d4565940601e854cdba703d52ca68f5 128
enc cbc(aes)
0x424c8541e2175f0416a36cf7c1646a8b1d7334ee0f5ed102c404428de8c15493
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xa, oseq 0x0, bitmap 0x000003ff
Libreswan/NAT:
conn mytunnel
ike=aes256-sha256
esp=aes256-sha256
dpdaction=restart
dpddelay=35
dpdtimeout=300
fragmentation=yes
rekey=yes
auto=start
type=tunnel
encapsulation=auto
ikev2=insist
left=server.example.com
leftid=@server.example.com
leftrsasigkey=%cert
right=%defaultroute
rightcert=client.example.com
rightid=%fromcert
rightrsasigkey=%cert
src xxx.xxx.149.202 dst 192.168.1.2
proto esp spi 0x9e72552a reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x972e60a3b5f34430ac8d79df2badd116dd4709249e9c0df1f185b1013f6b7e8f 128
enc cbc(aes)
0x9a6b10e8961b0b2b1fa7d6d63517939a191e77649497d433cee8f7b8d4d2482f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xa, oseq 0x0, bitmap 0x000003ff
src 192.168.1.2 dst xxx.xxx.149.202
proto esp spi 0xca4d2c2a reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0xcfca1bc60c21fc672c79d9ed8001fcc28d4565940601e854cdba703d52ca68f5 128
enc cbc(aes)
0x424c8541e2175f0416a36cf7c1646a8b1d7334ee0f5ed102c404428de8c15493
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xa, bitmap 0x00000000
More information about the Swan
mailing list