[Swan] routing across two tunnels
bob at computerisms.ca
Thu Jan 30 21:00:29 UTC 2020
Took another stab at this last night and found the solution was actually
quite simple, almost embarrassingly so. Posting here in case other
people have a hard time seeing the obvious like I did...
First, firewall needs to be able to talk directly to a host on the
remote LAN. Accomplished with leftsourceip=firewall.lan.ip and OUTPUT
rule in filter table of iptables.
Next, route traffic from Roadwarrior subnet to Remote Subnet in nat
table of iptables;
-A POSTROUTING -s 10.25.0.0/24 -d 192.168.0.0/24 -j SNAT --to-source
After that, pound on the keyboard furiously for a while so everybody
thinks it was so much harder than it actually was...
On 2015-06-11 1:04 p.m., Nick Howitt wrote:
> Hi Bob,
> As soon as you mention transport mode I am lost as I've never used it or
> got my mind round it so I don't understand it. Ditto passthrough conns,
> so you could be way ahead of me. If I were doing it, I'd use tunnel mode.
> I've done something slightly similar from an OpenVPN roadwarrior
> connecting to my server then onto a remote IPsec LAN on a Draytek
> router. The Draytek additional LAN solution I think, is proprietary and
> I could not get it to interoperate with Libreswan. I got round the issue
> by configuring OpenVPN to use the 220.127.116.11/24 subnet on the server
> with a server LAN subnet of 172.17.2.0/24. I then set up a tunnel in
> Libreswan to the Draytek for the 172.17.2.0/23 subnet (which, to save
> you doing the subnet calculation, encompasses the 172.17.2.0/14 and
> 172.17.3.0/24 subnets). This got round the need to set up two tunnels
> but it should also work with two tunnels (or two subnets tunnelled) if
> you can get them to work between the Sonicwall and Libreswan. OpenVPN
> was configured to push routes for both the server LAN subnet and remote
> LAN subnet.
> On 11/06/2015 04:18, Bob Miller wrote:
>> Hi Nick,
>> thanks for your reply, and I apologize for my tardy response.
>>> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
>>> 192.168.0.0/24? I don't know the Windows client (or any ikev2 details
>>> therefore my knowledge is entirely theoretical)so I don't know if you
>>> can use left/rightsubnets in Libreswan or if you have to define two
>>> different tunnels.
>>> Similarly you will need a tunnel with subnets from 10.25.0.0/24 and
>>> 192.168.25.0/24. When negotiating these tunnels with the Sonicwall, do
>>> you see both coming up? Again, if the Sonicwall can't cope you may also
>>> need to define two separate tunnels from Libreswan.
>> hm. I think I see where you are going with this... the answer is that
>> I have attempted to make such a tunnel with a passthrough conn, but I
>> do not have a 3rd dedicated tunnel from roadwarrior to sonicwall. If
>> I did have a dedicated tunnel like that, would libreswan not then
>> connect to that tunnel and make the LAN and internet inaccessible?
>> What I have (non-network details trimmed):
>> conn lan2sonic
>> conn rw-ikev2
>> A note regarding leftsubnet=0.0.0.0/0: this being my first attempt at
>> ikev2, I found that the way I did it with l2tp (setting left subnet to
>> be that of LAN and setting up iptables for forwarding) was
>> insufficient. I forget what details I tripped on that clued me into
>> trying 0.0.0.0/0, but when I did, internet works for roadwarriors
>> without split tunnelling. If I just set leftsubnet=192.168.25.0/24, I
>> get connection to the LAN, but no internet.
>> That said, I had no better success on a l2tp setup, but I was
>> admittedly less aggressive in my attempts to get that one working.
>> I tried a lot of variations, but one example of my attempt with a
>> passthrough conn:
>> conn rw-pass-vic
>> I tried in conn lan2sonic using
>> leftsubnets=192.168.25.0/24, 10.25.0.0/24
>> I also tried in conn rw-ikev2 using
>> leftsubnets=0.0.0.0/0, 192.168.0.0/24
>> Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0, and
>> the packets find their way to the 192.168.25.0/24 network, I kind of
>> think that packets for 192.168.0.0/24 should similarly find their way
>> on to the tunnel destined for the sonicwall, but tcpdump shows they
>> head out to the internet. Since my expectations were not met, I have
>> just been trying stuff, hoping to make the light bulb go on. maybe I
>> have had my conns right, but some other variable wrong. This is why I
>> am hoping to gain a better understanding of what is supposed to
>> happen, maybe then I can figure out how to get there...
>>> From a different angle, what is your roadwarrior's local LAN subnet
>>> when performing these tests? If is 192.168.0.0/24 then you have a big
>>> issue as both the local and (very) remote subnets are the same.
>> My roadwarrior is across the internet in a subnet 192.168.26.0/24, so
>> should be no conflict there...
>> Thanks again for your response, Nick, really appreciate it...
>>> On 2015-06-07 01:23, Bob Miller wrote:
>>>> I am not sure if I am being dense and not seeing what is there, or if
>>>> what I am looking for really isn't there.
>>>> I have a firewall running libreswan that has an ipsec/psk net2net
>>>> tunnel configured between it and a sonicwall device. This firewall
>>>> also has multiple road warriors connecting to the local network behind
>>>> it. Remote windows machines are configured with ikev2.
>>>> the gist:
>>>> 10.25.0.0/24(roadwarriors)<=^ ^=>Internet
>>>> each segment works fine;
>>>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>>>> RW<=>LAN, RW<=>Internet works great.
>>>> remotelan<=>internet doesn't work, which is great.
>>>> Now I want the roadwarriors to access the remote lan, but I can't seem
>>>> to figure it out.
>>>> It happens I have another identical situation, with the singular
>>>> difference that the road warriors are connecting via l2tp. I have
>>>> tried to get the same thing working on that one in the hopes that
>>>> something about l2tp would magically work and grant me understanding.
>>>> I have been at it for a while now, it would be tough to list all I
>>>> have done, but generally I started at iptables, thinking it would be a
>>>> simple forwarding thing. I made sure I wasn't nat'ing my traffic,
>>>> forward rules are in place, etc. maybe there is a problem there, but
>>>> I don't see it if there is.
>>>> Next I played with left/rightsubnets (as opposed to singular subnet)
>>>> as per what I found in the ipsec.conf man page. I think I tried every
>>>> combination at least twice, but nothing changed there.
>>>> I looked through more of the docs. I found passthrough conns, which
>>>> seem like what I might want, but the only examples I can find are for
>>>> extruded subnets, where one side is a smaller subset of a larger
>>>> subnet on the other side. regardless, tried a bunch of ways to make
>>>> that work but no success. I also looked through the multi-net
>>>> examples, but those seem related to klips, and I think I need to find
>>>> and study the context of those examples to get value from them...
>>>> On google, I found a limited number of posts that discuss the topic.
>>>> In the posts that seemed relevant, I could follow the discussion, but
>>>> in no cases could I translate the examples to a working config on this
>>>> I am not afraid to read and try and figure it out on my own, but I
>>>> don't think I am reading the right stuff. or if I am I haven't
>>>> recognized it yet. could someone kindly point me at the definitive
>>>> thing I need to read and understand to achieve my goal?
>> Swan mailing list
>> Swan at lists.libreswan.org
More information about the Swan