[Swan] Bringing up strongSwan+Libreswan transport connection

[Paul Wouters]

On Tue, 1 Oct 2019, Pavel Volkov wrote:

> On понедельник, 30 сентября 2019 г. 21:59:59 MSK, Paul Wouters wrote:
>>  Why transport mode? You are behind NAT, so libreswan can only build a
>>  transport mode tunnel with its pre-NAT IP, which hugely complicates
>>  things. NAT+IPsec is only deployed with IKEv1 and L2TP and it is a
>>  terrible solution often not working fully.
>>
>>  You should use tunnel mode.
>
> I can't figure out the basic stuff: configuring that Libreswan has 
> public-facing & private address.
> I had to resort to rightsubnet=.
> I came up with the following dirty-looking configs which work, secured 
> traffic flows through my network but SAs on strongSwan/public host still have 
> all public IPs (you mentioned we should see the internal IP 192.168.1.2 for 
> remote there).
> The way I use rightsubnet here doesn't match its description in the manual.

I'm not sure what you are trying to connect with IPsec. A connection
between the libreswan and strongswan server, but what source/dest IPs
should be able to see each other?

> strongSwan/public:
> conn mytunnel
>    auto=add
>    type=tunnel
>    forceencaps=yes
>    left=%any
>    leftauth=pubkey
>    leftid=server.example.com
>    leftcert=server.example.com.crt
>    leftsendcert=always
>    right=xxx.xxx.94.200
>    rightauth=pubkey
>    rightid="CN=client.example.com"
>    # without this strongSwan complains that traffic selectors are 
> unacceptable:
>    rightsubnet=192.168.1.2

Yes, if the libreswan server only has that IP because it is behind NAT,
then you can only use that IP as an IP range. If you want the "public
IP" of the NAT machine to be the IP that the strongswan machine talks
to, then you have to add that IP as alias on the libreswan machine and
use rightsubnet=xxx.xxx.94.200/32

So if you current solution does not do what you want, then perhaps try
to explain what IP ranges you want to connect with IPsec.

Paul